CVE-2025-49088 – This vulnerability in Pexip Infinity's OTJ serv... (How to Fix)

Q: What is the severity of CVE-2025-49088?

CVE-2025-49088 has a CVSS score of 5.9 (MEDIUM). This vulnerability in Pexip Infinity's OTJ service allows remote attackers to cause denial of service by sending specially crafted calendar invites. Systems running Pexip Infinity versions 32.0 through 37.1 with OTJ for Teams SIP Guest Join enabled are affected.

📋 TL;DR

This vulnerability in Pexip Infinity's OTJ service allows remote attackers to cause denial of service by sending specially crafted calendar invites. Systems running Pexip Infinity versions 32.0 through 37.1 with OTJ for Teams SIP Guest Join enabled are affected.

💻 Affected Systems

Products:

Pexip Infinity

Versions: 32.0 through 37.1

Operating Systems: All supported Pexip Infinity platforms

Default Config Vulnerable: ✅ No

Notes: Only affects systems with OTJ (One Touch Join) for Teams SIP Guest Join enabled in specific configurations.

📦 What is this software?

Pexip Infinity by Pexip

View all CVEs affecting Pexip Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the OTJ functionality, preventing Teams SIP Guest Join operations until service restart.

🟠

Likely Case

Temporary service interruption affecting Teams guest join capabilities, requiring manual intervention to restore.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, allowing quick detection and recovery.

🌐 Internet-Facing: MEDIUM - Attackers can exploit remotely if OTJ service is exposed, but requires specific configuration and crafted payload.

🏢 Internal Only: LOW - Internal attackers could exploit, but the impact is limited to denial of service rather than data compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a crafted calendar invite to the vulnerable OTJ service endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 37.2

Vendor Advisory: https://docs.pexip.com/admin/security_bulletins.htm

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to Pexip Infinity version 37.2 or later. 3. Restart all Pexip Infinity services. 4. Verify OTJ functionality is restored.

🔧 Temporary Workarounds

Disable OTJ for Teams SIP Guest Join

all

Temporarily disable the vulnerable feature until patching can be completed.

pexipconfig --disable-otj-teams

Network Access Control

all

Restrict access to OTJ service endpoints to trusted sources only.

🧯 If You Can't Patch

Implement strict network filtering to limit access to OTJ service endpoints
Monitor OTJ service logs for abnormal calendar invite patterns and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Pexip Infinity version and verify OTJ for Teams SIP Guest Join is enabled in configuration.

Check Version:

pexip --version

Verify Fix Applied:

Confirm version is 37.2 or later and OTJ service remains functional after receiving test calendar invites.

📡 Detection & Monitoring

Log Indicators:

OTJ service crash logs
Abnormal calendar invite processing errors
Service restart events in OTJ logs

Network Indicators:

Unusual volume of calendar invites to OTJ endpoints
Malformed calendar invite patterns

SIEM Query:

source="pexip" AND ("OTJ crash" OR "calendar invite error" OR "service abort")

📊 Metadata

CVE ID: CVE-2025-49088

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.15% exploit probability (35.8th percentile)

Published: December 25, 2025

Last Updated: January 5, 2026

🔗 References

https://docs.pexip.com/admin/security_bulletins.htm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49088, you might also want to check these: