CVE-2025-48704 – Pexip Infinity versions 35.0 through 37.2 have ... (How to Fix)

Q: What is the severity of CVE-2025-48704?

CVE-2025-48704 has a CVSS score of 7.5 (HIGH). Pexip Infinity versions 35.0 through 37.2 have an improper input validation vulnerability in signalling that allows attackers to trigger a software abort, causing denial of service. This affects all deployments running vulnerable versions of Pexip Infinity video conferencing software.

📋 TL;DR

Pexip Infinity versions 35.0 through 37.2 have an improper input validation vulnerability in signalling that allows attackers to trigger a software abort, causing denial of service. This affects all deployments running vulnerable versions of Pexip Infinity video conferencing software.

💻 Affected Systems

Products:

Pexip Infinity

Versions: 35.0 through 37.2 (before 38.0)

Operating Systems: Linux-based appliance

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with signalling enabled are vulnerable. This is a core component of the platform.

📦 What is this software?

Pexip Infinity by Pexip

View all CVEs affecting Pexip Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of Pexip Infinity platform, making video conferencing unavailable for all users until service restart.

🟠

Likely Case

Targeted denial of service attacks causing service interruptions for specific conferences or system components.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though service disruption still possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending malformed signalling packets but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 38.0 or later

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download Pexip Infinity 38.0 or later from Pexip support portal. 3. Apply the update following Pexip's upgrade procedures. 4. Restart the system as required.

🔧 Temporary Workarounds

Network segmentation and filtering

all

Restrict access to Pexip Infinity signalling ports to trusted networks only

Rate limiting

all

Implement rate limiting on signalling traffic to reduce impact of DoS attempts

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach Pexip Infinity signalling ports
Deploy intrusion prevention systems with DoS protection capabilities in front of Pexip Infinity

🔍 How to Verify

Check if Vulnerable:

Check Pexip Infinity version via web admin interface or SSH: grep 'version' /opt/pexip/etc/version

Check Version:

grep 'version' /opt/pexip/etc/version

Verify Fix Applied:

Confirm version is 38.0 or later and monitor for abnormal service aborts

📡 Detection & Monitoring

Log Indicators:

Unexpected service aborts
Signalling protocol errors
Process termination logs

Network Indicators:

Unusual signalling traffic patterns
Malformed SIP/H.323 packets

SIEM Query:

source="pexip" AND (event="service_abort" OR event="process_termination")

📊 Metadata

CVE ID: CVE-2025-48704

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.06% exploit probability (18.7th percentile)

Published: December 25, 2025

Last Updated: January 5, 2026

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48704, you might also want to check these: