CVE-2025-12204 identifies a heap-based buffer overflow vulnerability in Kamailio version 5.5, a widely used open-source SIP server for VoIP communications. The vulnerability exists in the rve_destroy function within the src/core/rvalue.c file, part of the Configuration File Handler component. This function improperly manages memory, allowing an attacker with local access and low privileges to trigger a heap overflow by manipulating configuration data. The overflow can corrupt adjacent memory, potentially leading to arbitrary code execution, denial of service, or information disclosure. Exploitation does not require user interaction but does require local access and low privileges, limiting remote attack feasibility. The vulnerability was publicly disclosed on October 27, 2025, with no vendor response or patch available at the time. The CVSS 4.8 score reflects a medium severity level due to the local attack vector and limited scope of impact. No known exploits have been observed in the wild, but the public disclosure increases the risk of future exploitation. Kamailio is commonly deployed in telecom environments for SIP signaling, making this vulnerability relevant for organizations relying on VoIP infrastructure.

For European organizations, the impact of this vulnerability could be significant in sectors relying on Kamailio for VoIP and telecommunication services. Successful exploitation could allow an attacker with local access to execute arbitrary code, disrupt service availability, or access sensitive communication data, undermining confidentiality and integrity. This could lead to service outages, interception or manipulation of voice communications, and potential lateral movement within networks. Given the critical role of VoIP in business communications, especially in finance, government, and critical infrastructure sectors, exploitation could disrupt operations and damage trust. The medium severity rating reflects the need for vigilance but also the limited attack vector, as remote exploitation is not feasible without prior local access. Organizations with remote access mechanisms or weak internal controls may face elevated risk.

Since no official patch is currently available, European organizations should implement strict access controls to limit local access to Kamailio servers, including enforcing least privilege principles and network segmentation. Monitoring and logging of local activities on Kamailio hosts should be enhanced to detect anomalous behavior indicative of exploitation attempts. Employing application whitelisting and integrity monitoring can help detect unauthorized modifications. Organizations should prepare to apply patches promptly once released by the vendor. Additionally, consider deploying intrusion detection systems tailored to VoIP traffic to identify exploitation attempts. Regular security audits of configuration files and memory management practices in Kamailio deployments can reduce risk. Finally, educating administrators on the risks of local privilege escalation and buffer overflow exploits will improve overall security posture.