CVE-2025-69217
📋 TL;DR
This vulnerability in coturn TURN/STUN server allows attackers to predict random nonces and port assignments due to a weak random number generator. Attackers can authenticate while spoofing IPs and predict relay ports, potentially hijacking sessions. Systems running vulnerable coturn versions 4.6.2r5 through 4.7.0-r4 are affected.
💻 Affected Systems
- coturn
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete session hijacking, unauthorized relay port allocation, and IP spoofing attacks leading to data interception or service disruption.
Likely Case
Authentication bypass in IoT environments where credentials are often known, allowing unauthorized access to TURN relay services.
If Mitigated
Limited impact if strong authentication mechanisms and network segmentation are in place, though predictability remains a concern.
🎯 Exploit Status
Exploitation requires sending ~50 sequential unauthenticated allocation requests to reconstruct RNG state; credentials needed for full authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9
Vendor Advisory: https://github.com/coturn/coturn/security/advisories/GHSA-fvj6-9jhg-9j84
Restart Required: Yes
Instructions:
1. Update coturn to a patched version (e.g., 4.7.0-r5 or later). 2. Restart the coturn service. 3. Verify the fix by checking the version and commit hash.
🔧 Temporary Workarounds
Restrict unauthenticated allocations
linuxLimit or disable unauthenticated TURN allocations to reduce attack surface.
# In coturn config: no-auth-relay
# Or set: no-udp-relay
Network segmentation
linuxIsolate coturn servers from untrusted networks.
# Use firewall rules: iptables -A INPUT -p tcp --dport 3478 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict network access controls to limit coturn exposure to trusted clients only.
- Monitor for unusual patterns of unauthenticated allocation requests (e.g., ~50 sequential requests).
🔍 How to Verify
Check if Vulnerable:
Check coturn version: if between 4.6.2r5 and 4.7.0-r4, and running on non-Windows OS, it's vulnerable.Check Version:
turnserver --versionVerify Fix Applied:
Verify version is patched (post-commit 11fc465f4bba70bb0ad8aae17d6c4a63a29917d9) and restart service.📡 Detection & Monitoring
Log Indicators:
- Multiple sequential unauthenticated allocation requests (~50) from single source.
- Unexpected authentication successes from spoofed IPs.
Network Indicators:
- Unusual patterns of TURN allocation requests.
- Traffic indicating port prediction attempts.
SIEM Query:
source="coturn.log" AND "allocation" AND "unauthenticated" | stats count by src_ip | where count >= 50