CVE-2024-33850 – Pexip Infinity before version 34.1 has an impro... (How to Fix)

Q: What is the severity of CVE-2024-33850?

CVE-2024-33850 has a CVSS score of 4.3 (MEDIUM). Pexip Infinity before version 34.1 has an improper access control vulnerability in waiting rooms. Unadmitted participants can view the conference roster and perform unauthorized actions before being granted access to the meeting. This affects all Pexip Infinity deployments running vulnerable versions.

📋 TL;DR

Pexip Infinity before version 34.1 has an improper access control vulnerability in waiting rooms. Unadmitted participants can view the conference roster and perform unauthorized actions before being granted access to the meeting. This affects all Pexip Infinity deployments running vulnerable versions.

💻 Affected Systems

Products:

Pexip Infinity

Versions: All versions before 34.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All Pexip Infinity deployments with waiting room functionality enabled are affected.

📦 What is this software?

Pexip Infinity by Pexip

View all CVEs affecting Pexip Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unadmitted participants could disrupt meetings by performing unauthorized actions, potentially accessing sensitive participant information or interfering with meeting controls.

🟠

Likely Case

Participants in waiting rooms can see who is in the conference before being admitted, potentially revealing sensitive meeting attendance information.

🟢

If Mitigated

With proper access controls, participants only see the roster and can perform actions after being formally admitted to the meeting.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires being placed in a waiting room, which typically requires some level of authentication to join the meeting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 34.1

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to Pexip Infinity version 34.1 or later. 3. Restart services. 4. Verify functionality.

🔧 Temporary Workarounds

Disable waiting rooms

all

Temporarily disable waiting room functionality to prevent exploitation

pexip_admin_cli --disable-waiting-rooms

Restrict meeting access

all

Use meeting passwords and authenticated access only

🧯 If You Can't Patch

Disable waiting room functionality entirely
Implement strict meeting access controls with authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check Pexip Infinity version via admin interface or CLI. If version is below 34.1, system is vulnerable.

Check Version:

pexip_admin_cli --version

Verify Fix Applied:

After upgrade, test waiting room functionality to ensure participants cannot see roster or perform actions before admission.

📡 Detection & Monitoring

Log Indicators:

Unauthorized roster access attempts from waiting room participants
Unexpected actions from unadmitted users

Network Indicators:

Unusual API calls from waiting room participants to roster endpoints

SIEM Query:

source="pexip" AND (event="roster_access" OR event="unauthorized_action") AND user_status="waiting"

📊 Metadata

CVE ID: CVE-2024-33850

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Published: June 10, 2024

Last Updated: June 20, 2025

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory
https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON