Description
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.
Published: 2026-06-09
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreeSWITCH’s Verto WebSocket module processes a special speed‑test frame (#SPU) before authentication. The module reads the declared payload size with atoi(), only rejecting non‑positive values, so an unauthenticated client can request a size large enough for INT_MAX bytes. The server then sends back roughly ten times that amount, about 20 GB per request, providing a powerful outbound bandwidth amplification vector. The flaw is a classic uncontrolled resource consumption problem (CWE‑400) and can be used to create a denial‑of‑service or abuse of network bandwidth.

Affected Systems

SignalWire’s FreeSWITCH distribution with mod_verto is vulnerable in all releases before 1.11.1. The patch was included in FreeSWITCH 1.11.1 and later, which limits the speed‑test payload size to a safe bound.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Because the attack does not require authentication and relies only on a lightweight WebSocket frame, exploitation is straightforward for anyone who can reach the Verto endpoint. The EPSS score is not available, but the vulnerability is not yet listed in CISA KEV. System administrators should treat it as a high‑risk amplification flaw that can overwhelm outbound bandwidth and disrupt services if left unpatched.

Generated by OpenCVE AI on June 9, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to FreeSWITCH 1.11.1 or newer to apply the approved patch that imposes a realistic limit on the speed‑test payload size.
  • If the Verto module is not required for your deployment, disable or remove mod_verto entirely; otherwise restrict access to the Verto endpoint by firewall rules or internal network segmentation.
  • Monitor outbound traffic from FreeSWITCH for sudden spikes in data associated with Verto connections and alert on excessive bandwidth usage.

Generated by OpenCVE AI on June 9, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Signalwire
Signalwire freeswitch
Vendors & Products Signalwire
Signalwire freeswitch

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Description FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.
Title FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Signalwire Freeswitch
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T18:39:33.710Z

Reserved: 2026-06-01T18:50:36.057Z

Link: CVE-2026-49842

cve-icon Vulnrichment

Updated: 2026-06-09T18:23:04.850Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:48.017

Modified: 2026-06-09T19:32:29.743

Link: CVE-2026-49842

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T17:45:10Z

Weaknesses