The author discusses vulnerabilities found in open source telecom software on GitHub, specifically within the FreeSWITCH platform. A buffer overflow in the HTTP Request Handler for XMLRPC is highlighted, with suggestions for fixes provided. The author then details their attempts at disclosing the issue to FreeSWITCH’s security team, eventually leading to the patches being released on GitHub. However, despite the fixes being public, SignalWire, which develops FreeSWITCH, decides not to release an updated version for users until summer 2025, leaving potentially thousands of vulnerable telecom stacks. The reluctance of companies to invest in telecom security and potential solutions are also discussed, concluding with a suggestion to proceed with caution or find alternative measures until a secure version is available.
https://soatok.blog/2025/03/12/on-the-insecurity-of-telecom-stacks-in-the-wake-of-salt-typhoon/