Primary

Context

PJSIP GnuTLS Build SIP TLS Transport Certificate Verification Vulnerability

Vulnerability

Patched

A vulnerability exists in PJSIP versions prior to 2.17, specifically in GnuTLS builds, where the SIP TLS transport can accept connections with invalid or untrusted certificates. This occurs even when the application enables certificate verification. As a result, a network-positioned attacker could exploit this to intercept SIPS connections or bypass mutual-TLS authentication.

Impact

The vulnerability allows a network-positioned attacker to manipulate TLS connections. In client mode, it enables man-in-the-middle attacks by allowing untrusted, expired, or self-signed certificates to be accepted. In server mode, it bypasses mutual-TLS authentication by accepting any client certificate.

Remediation

Users can update to PJSIP version 2.17, where this vulnerability has been patched. The patch is available in the master branch.

Added: May 7, 2026, 8:48 PM

Updated: May 7, 2026, 8:48 PM

Vulnerability Rating

Custom Algorithm

spread

9.8

impact

5.0

exploitability

6.9

remediation

8.3

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.8

impact

5.0

exploitability

6.9

remediation

8.3

relevance

7.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PJSIP GnuTLS Build SIP TLS Transport Certificate Verification Vulnerability

Vulnerability

Impact

Remediation

Affected Products

PJSIP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating