CVE-2025-53399 is a vulnerability identified in Sipwise's rtpengine, a media relay component used in VoIP and real-time communication systems to handle RTP (Real-time Transport Protocol) and SRTP (Secure RTP) streams. The flaw stems from an origin-validation error within the endpoint-learning logic of the media-relay core. Specifically, before version 13.4.1.1, the rtpengine does not properly validate the source of incoming RTP packets, allowing remote attackers to inject or intercept RTP/SRTP media streams. This can lead to unauthorized media stream manipulation, including eavesdropping or media injection attacks. The vulnerability is present unless the relay is configured with strict source checking and endpoint learning is disabled. The vendor addressed this issue in version 13.4.1.1 by limiting the heuristic learning exposure to the first five packets and introducing a 'recrypt' flag that, when enabled alongside the mitigations, fully prevents SRTP attacks. The CVSS 4.0 base score of 6.9 (medium severity) reflects the network attack vector, no required privileges or user interaction, and limited impact on confidentiality and integrity with some availability impact. No known exploits are currently reported in the wild. This vulnerability is classified under CWE-346, which relates to origin validation errors, indicating a failure to properly verify the source of data or requests, leading to potential spoofing or injection attacks.

For European organizations relying on Sipwise rtpengine for their VoIP or real-time communication infrastructure, this vulnerability poses a risk of media stream interception or injection, potentially compromising the confidentiality and integrity of voice or video communications. This could lead to unauthorized surveillance, call tampering, or insertion of malicious media content, undermining trust in communication systems. Sectors such as telecommunications providers, financial institutions, government agencies, and enterprises with sensitive communications are particularly at risk. The impact extends to regulatory compliance, as interception of communications may violate GDPR and other privacy regulations, leading to legal and reputational consequences. Additionally, compromised media streams could be leveraged for social engineering or further network intrusion attempts. Although no active exploits are known, the ease of exploitation (network accessible, no authentication required) means that attackers could potentially exploit this vulnerability if unpatched systems are exposed to untrusted networks.

European organizations should prioritize upgrading Sipwise rtpengine to version 13.4.1.1 or later, which includes the necessary fixes. In addition, they should configure the relay to enforce strict source checking and disable endpoint learning where feasible to reduce attack surface. Enabling the 'recrypt' flag is critical to fully prevent SRTP attacks, especially when combined with the other mitigations. Network segmentation should be employed to restrict access to rtpengine instances, limiting exposure to untrusted networks. Deploying RTP-aware intrusion detection or prevention systems can help detect anomalous RTP packet injection or interception attempts. Regular monitoring and logging of RTP traffic can aid in early detection of suspicious activity. Organizations should also review their VoIP infrastructure for other potential weaknesses and ensure that all components are kept up to date with security patches. Finally, conducting security awareness training for administrators on secure configuration of media relays will help maintain a robust security posture.