CVE-2025-49088 is a vulnerability identified in Pexip Infinity, a widely used video conferencing and collaboration platform, specifically versions 32.0 through 37.1 before 37.2. The vulnerability resides in the One Touch Join (OTJ) service, which facilitates seamless joining of Microsoft Teams meetings via SIP Guest Join. The root cause is improper input validation (classified under CWE-617: Reachable Assertion) in the OTJ service when processing calendar invites. An attacker can craft a malicious calendar invite that triggers an assertion failure within the OTJ service, causing it to abort unexpectedly. This results in a denial of service (DoS) condition, disrupting the ability of users to join meetings via the affected service. The attack vector is network-based and does not require any authentication or user interaction, but the attack complexity is high, as crafting a valid exploit requires detailed knowledge of the OTJ service's input handling. The CVSS v3.1 base score is 5.9, reflecting a medium severity level with no impact on confidentiality or integrity, but a significant impact on availability. No public exploits or active exploitation in the wild have been reported to date. The vulnerability affects configurations where OTJ for Teams SIP Guest Join is enabled, which is common in enterprise environments leveraging Pexip Infinity for Microsoft Teams interoperability. The lack of a patch link suggests that a fix is expected in version 37.2 or later. Organizations relying on Pexip Infinity should assess their exposure and prepare to apply updates promptly.

For European organizations, the primary impact of CVE-2025-49088 is service disruption due to denial of service on the Pexip Infinity OTJ service. This can interrupt critical video conferencing and collaboration workflows, especially in environments heavily dependent on Microsoft Teams integration. The disruption may affect internal communications, client meetings, and remote collaboration, potentially leading to productivity losses and operational delays. While the vulnerability does not compromise data confidentiality or integrity, the availability impact can be significant in sectors such as finance, healthcare, government, and large enterprises where continuous communication is essential. Additionally, repeated or targeted exploitation could degrade trust in the affected service and necessitate costly incident response efforts. Given the network-based attack vector and lack of authentication requirements, any exposed OTJ service endpoint is at risk, increasing the attack surface. Organizations with hybrid or remote workforces relying on Pexip Infinity for seamless Teams connectivity are particularly vulnerable to operational interruptions.

1. Upgrade Pexip Infinity to version 37.2 or later as soon as the patch becomes available to address the vulnerability directly. 2. In the interim, review and restrict OTJ service exposure by limiting network access to trusted sources and implementing network segmentation to isolate the OTJ service. 3. Monitor calendar invite traffic for anomalies or suspicious patterns that could indicate attempts to exploit the vulnerability. 4. Disable or restrict the OTJ feature for Teams SIP Guest Join if it is not essential to business operations, reducing the attack surface. 5. Employ application-layer firewalls or intrusion prevention systems capable of inspecting and filtering malformed calendar invites targeting the OTJ service. 6. Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service events. 7. Engage with Pexip support and subscribe to security advisories for timely updates and guidance. 8. Conduct internal awareness training for IT staff to recognize and respond to potential exploitation attempts.