Executive Summary

CVE-2026-49843 is a vulnerability in FreeSWITCH's mod_verto module where the JSON-RPC handler binds a connection to a client-supplied session ID (sessid) before authentication. This binding inserts the connection into a global session hash. If an attacker supplies a sessid that collides with an existing session, the prior session is evicted, its calls are detached, and its WebSocket connection is closed.

An unauthenticated network attacker who knows the target session UUID can exploit this to evict the legitimate client from their session, causing a denial-of-service condition. However, the attacker cannot bypass authentication or take over the victim's session.

This issue affects FreeSWITCH versions prior to 1.11.1 and has been fixed by moving the session ID binding to occur after authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to evict legitimate clients from their sessions in FreeSWITCH's mod_verto module. This results in a denial-of-service condition where the victim's calls are detached and their WebSocket connection is closed.

The attacker cannot gain access to the victim's session or bypass authentication, so the impact is limited to availability disruption rather than confidentiality or integrity compromise.

To exploit this, the attacker needs network access to the mod_verto WebSocket listener and prior knowledge of the target session UUID.

Mitigations include restricting access to the WebSocket listener or disabling mod_verto if it is not used.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the mod_verto JSON-RPC handler binding connections to client-supplied session IDs before authentication, which can be exploited by an attacker who knows a target session UUID. Detection involves monitoring network traffic to the mod_verto WebSocket listener for suspicious connection attempts using known or unexpected session UUIDs.

Since the attack requires knowledge of session UUIDs and network access to the mod_verto listener, you can detect potential exploitation by capturing and analyzing WebSocket traffic on the mod_verto port.

• Use network packet capture tools like tcpdump or Wireshark to monitor traffic on the mod_verto WebSocket port.
• Example tcpdump command to capture traffic on the default mod_verto port (usually 8080 or configured port): tcpdump -i <interface> port <mod_verto_port> -w mod_verto_traffic.pcap
• Analyze captured traffic for JSON-RPC messages containing sessid fields to identify repeated or suspicious session ID usage.
• Check FreeSWITCH logs for session eviction events or unexpected WebSocket disconnections related to mod_verto sessions.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting network access to the mod_verto WebSocket listener to trusted hosts only, thereby preventing unauthenticated attackers from reaching the vulnerable service.

If mod_verto is not in use, disabling the module entirely will eliminate the attack surface.

Upgrading FreeSWITCH to version 1.11.1 or later, where the vulnerability is patched by moving session ID binding past the authentication gate, is the definitive fix.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in FreeSWITCH's mod_verto module allows an unauthenticated attacker to evict legitimate client sessions, causing a denial-of-service impact by disrupting availability.

However, the attacker cannot bypass authentication or access sensitive data, so the impact is limited to availability without compromising confidentiality or integrity.

Given this, the vulnerability may affect compliance with standards that require high availability and service continuity, but it does not directly expose personal data or violate data protection requirements such as those in GDPR or HIPAA.

Mitigations like restricting access to the mod_verto listener or disabling the module if unused can reduce risk and help maintain compliance.

Useful 0 Not Useful 0