The CERT Coordination Center (CERT/CC) has disclosed a security issue affecting Verizon's Voice over LTE (VoLTE) infrastructure, warning that SIP signaling traffic on the carrier's IP Multimedia Subsystem (IMS) network appears to lack IPsec integrity protection required by industry specifications.
Tracked as CVE-2026-10629 and documented in this CERT/CC advisory, the issue could allow an on-path attacker to intercept, replay, or modify VoLTE signaling traffic, potentially enabling call hijacking, spoofing, denial-of-service attacks, and manipulation of emergency call routing.
The vulnerability note was published following coordinated disclosure efforts involving researchers DongWon Lee, Jeongmin Choi, and CheolJun Park of Kyung Hee University.
According to the researchers, Verizon IMS deployments were observed transmitting SIP signaling without negotiated security protections. During testing, SIP registration exchanges lacked the Security-Client, Security-Server, and Security-Verify headers used to establish security associations, while no IPsec ESP-protected SIP traffic was detected during subsequent signaling, including REGISTER, INVITE, MESSAGE, BYE, and UPDATE requests.
The behavior was reportedly observed across multiple devices, operating systems, and network conditions, suggesting a carrier-side configuration rather than an isolated client issue.
Verizon is one of the largest wireless carriers in the United States, serving tens of millions of subscribers through its LTE and 5G networks. Its IMS infrastructure handles VoLTE services, including voice calls and messaging.
The absence of SIP integrity protection conflicts with security mechanisms described in 3GPP TS 33.203 and GSMA IR.92, which specify the use of IPsec ESP to protect SIP signaling between user devices and IMS network components following authentication.
While the issue does not directly expose the audio content of VoLTE calls, it affects the signaling traffic responsible for call setup and management. CERT/CC warns that an on-path attacker could potentially alter or replay SIP messages, enabling call disruption, signaling spoofing, call redirection, or interference with emergency services.
Verizon’s response and rebuttal
CERT/CC states that Verizon initially acknowledged the issue and indicated that integrity protection support would become available more broadly later this year. However, the organization says Verizon subsequently stopped participating in the coordination process and did not provide evidence that mitigations had been deployed.
The researchers also identified IMS IPsec-related settings in Apple's iOS 26.5 carrier bundle, released on May 11, 2026. However, CERT/CC noted that the presence of configuration settings does not confirm that SIP security negotiation or IPsec protection is active on production networks.
In its response, Verizon classified itself as “Not Affected,” arguing that the GSMA and 3GPP provisions cited in the report are not mandatory and that carriers have discretion in how they implement protections.
CERT/CC included an addendum noting that the researchers disputed Verizon's interpretation, citing sections of 3GPP TS 33.203 and GSMA IR.92 that they say require IPsec integrity protection for IMS and VoLTE signaling. Verizon did not provide details on alternative security controls that may compensate for the lack of IPsec protection.
CERT/CC says remediation would require Verizon to enable and enforce SIP security negotiation and IPsec ESP protection in its IMS infrastructure, while devices must receive and apply the necessary carrier configuration updates. Until the protections are independently verified, organizations with high-assurance VoLTE requirements should treat signaling traffic as potentially untrusted.
Leave a Reply