Executive Summary

CVE-2026-10629 is a security vulnerability in Verizon's VoLTE deployments on its IMS network where SIP signaling messages lack IPsec integrity protection. Specifically, SIP messages such as registration, call setup, and messaging are transmitted without IPsec ESP encapsulation or the necessary SIP Security Agreement headers. This absence allows an on-path attacker to intercept, monitor, and actively manipulate these unsecured SIP messages over the radio and core network.

This means the confidentiality, integrity, and authenticity of VoLTE signaling can be compromised, enabling attackers to perform passive monitoring or active attacks on the signaling traffic.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have serious impacts including the hijacking of calls, spoofing of identities, disruption of services, and misrouting of emergency calls without detection.

Because SIP signaling is not protected, attackers can intercept and manipulate signaling messages, potentially leading to unauthorized access to communications, denial of service, or incorrect routing of critical calls.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability violates 3GPP TS 33.203 and GSMA IR.92 standards, which mandate IPsec ESP protection for SIP signaling after IMS AKA authentication.

The lack of mandated security protections means that organizations relying on Verizon's VoLTE signaling may be non-compliant with these telecommunications security standards.

While the provided text does not explicitly mention GDPR, HIPAA, or other regulations, the compromise of confidentiality, integrity, and authenticity of communications could potentially impact compliance with data protection regulations that require secure handling of personal and sensitive information.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves verifying whether SIP signaling messages in Verizon's VoLTE IMS network are transmitted without IPsec ESP encapsulation and without SIP Security Agreement headers (Security-Client/Security-Server).

To detect this on your network, you can capture SIP signaling traffic and inspect it for the absence of IPsec ESP protection and missing SIP security headers.

Suggested commands include using packet capture tools such as tcpdump or Wireshark to analyze SIP traffic:

• tcpdump -i <interface> -w capture.pcap port 5060
• In Wireshark, filter captured traffic with 'sip' and check for the presence or absence of Security-Client and Security-Server headers in SIP messages.
• Also, verify if IPsec ESP packets are present for SIP signaling by filtering for ESP protocol traffic (e.g., 'esp' filter in Wireshark).

If SIP messages are observed without these protections, the vulnerability is likely present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include treating SIP signaling in Verizon's VoLTE IMS network as untrusted until proper IPsec ESP protection and SIP Security Agreement headers are confirmed.

Organizations should verify compliance with 3GPP TS 33.203 and GSMA IR.92 standards, which mandate IPsec ESP protection for SIP signaling after IMS AKA authentication.

If possible, coordinate with Verizon or your VoLTE service provider to ensure that SIP signaling is secured with IPsec ESP and the appropriate SIP security headers.

In the absence of confirmed remediation, consider implementing additional network-level protections such as monitoring for anomalous SIP traffic, restricting access to SIP signaling paths, and using VPNs or other secure tunnels to protect signaling traffic.

Useful 0 Not Useful 0