CVE-2025-49088 is a vulnerability classified under CWE-617 (Reachable Assertion) found in Pexip Infinity versions 32.0 through 37.1 before 37.2. The vulnerability arises from improper input validation in the One Touch Join (OTJ) service specifically for Teams SIP Guest Join configurations. An attacker can remotely send a specially crafted calendar invite that triggers an assertion failure within the OTJ service. This assertion failure causes the software to abort, leading to a denial of service condition where legitimate users cannot utilize the OTJ functionality. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network. The CVSS v3.1 base score is 5.9, reflecting medium severity due to the high attack complexity and the impact limited to availability. No confidentiality or integrity impacts are noted. No public exploits have been reported yet, but the vulnerability could disrupt business communications relying on Pexip Infinity’s integration with Microsoft Teams SIP guest joining. The flaw is specific to certain configurations, so organizations should review their deployment settings. The absence of a patch link suggests that remediation may require upgrading to version 37.2 or later once released or applying vendor-provided mitigations. This vulnerability highlights the importance of robust input validation in communication platforms to prevent service outages caused by malformed external data.

For European organizations, the primary impact of CVE-2025-49088 is the disruption of video conferencing and collaboration services that rely on Pexip Infinity’s OTJ feature for Teams SIP Guest Join. This can lead to denial of service, preventing users from joining meetings seamlessly via calendar invites, potentially causing operational delays and reduced productivity. Organizations in sectors such as finance, government, healthcare, and large enterprises that depend heavily on Microsoft Teams integrations for remote collaboration are particularly vulnerable. The disruption could affect internal communications and external client interactions, impacting business continuity. Since the vulnerability does not compromise confidentiality or integrity, data breaches are unlikely; however, the availability impact could be significant during critical meetings or events. The medium severity rating indicates that while the threat is not critical, it warrants timely attention to avoid service interruptions. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks.

To mitigate CVE-2025-49088, European organizations should: 1) Upgrade Pexip Infinity to version 37.2 or later as soon as the patch is available, as this version addresses the vulnerability. 2) Review and restrict configurations of the OTJ service for Teams SIP Guest Join to minimize exposure, disabling OTJ if not required. 3) Implement input validation and filtering at the network perimeter or application layer to detect and block malformed calendar invites that could trigger the assertion. 4) Monitor logs and alerts for abnormal OTJ service crashes or calendar invite anomalies to detect potential exploitation attempts. 5) Coordinate with Microsoft Teams administrators to ensure that calendar invite sources are trusted and authenticated where possible. 6) Conduct internal testing of calendar invite handling to identify any other potential input validation weaknesses. 7) Maintain up-to-date backups and incident response plans to quickly recover from any service disruptions. These steps go beyond generic advice by focusing on configuration review, proactive monitoring, and integration controls specific to the affected service and environment.