CVE-2025-53399 is a vulnerability in Sipwise rtpengine, a media relay component used in VoIP and real-time communication systems. The issue stems from a CWE-346 origin validation error within the endpoint-learning logic of the media-relay core. Specifically, the rtpengine heuristically learns endpoints from incoming RTP packets to relay media streams. However, prior to version 13.4.1.1, this logic insufficiently validates the origin of RTP/SRTP packets, allowing remote attackers to inject malicious RTP packets or intercept legitimate media streams. This can compromise the confidentiality and integrity of voice or video communications by enabling man-in-the-middle style attacks or unauthorized media injection. The vulnerability is exploitable remotely without authentication or user interaction, increasing its risk profile. The vendor addressed the issue by limiting the heuristic learning exposure to the first five packets and introducing a 'recrypt' flag that, when enabled alongside strict source configuration and learning disabled, fully prevents SRTP attacks. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, lack of required privileges or user interaction, and limited impact on availability but notable impact on confidentiality and integrity. No known exploits are reported in the wild as of publication. This vulnerability affects all versions before 13.4.1.1, and organizations relying on Sipwise rtpengine for media relay in their VoIP infrastructure should prioritize patching and configuration hardening to mitigate risk.

The vulnerability allows attackers to intercept or inject RTP/SRTP media streams, potentially compromising the confidentiality and integrity of real-time communications such as voice and video calls. For European organizations, this can lead to eavesdropping on sensitive conversations, insertion of malicious media content, or disruption of communication services. Telecom providers, enterprises using VoIP systems, and critical infrastructure relying on secure media relay are particularly at risk. The impact extends to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial losses. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad. However, the vulnerability does not directly affect availability, limiting denial-of-service risks. The mitigations introduced reduce the window of exposure and can fully prevent attacks when properly configured, but failure to update or misconfiguration leaves systems vulnerable.

1. Upgrade all affected Sipwise rtpengine instances to version 13.4.1.1 or later immediately to apply the official fix. 2. Configure the rtpengine to operate in strict source mode, disabling endpoint learning to prevent heuristic acceptance of RTP packets from unverified sources. 3. Enable the 'recrypt' flag introduced in the patch to fully prevent SRTP attacks, ensuring encrypted media streams cannot be intercepted or manipulated. 4. Conduct network segmentation to isolate media relay components and restrict access to trusted sources only. 5. Monitor RTP traffic for anomalies indicative of injection or interception attempts using specialized VoIP security tools. 6. Implement logging and alerting on rtpengine endpoints to detect suspicious packet patterns early. 7. Regularly audit configurations and perform penetration testing focused on media relay components to verify the effectiveness of mitigations. 8. Educate network and security teams about this vulnerability and the importance of strict media relay configurations.