MidnightBSD

Advisories for pexip

CVE-2014-8779 HIGH

Pexip Infinity before 8 uses the same SSH host keys across different customers' installations, which allows man-in-the-middle attackers to spoof Management and Conferencing Nodes by leveraging these keys.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-254,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2015-4719 HIGH

The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2017-17477 MEDIUM

Pexip Infinity before 17 allows an unauthenticated remote attacker to achieve stored XSS via management web interface views.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2017-6551 HIGH

Pexip Infinity before 14.2 allows remote attackers to cause a denial of service (service restart) or execute arbitrary code via vectors related to Conferencing Nodes.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2018-10432 HIGH

Pexip Infinity before 18 allows Remote Denial of Service (TLS handshakes in RTMP).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2018-10585 HIGH

Pexip Infinity before 18 allows remote Denial of Service (XML parsing).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2019-7177 HIGH

Pexip Infinity before 20.1 allows Code Injection onto nodes via an admin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2019-7178 HIGH

Pexip Infinity before 20.1 allows privilege escalation by restoring a system backup.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2020-11805 HIGH

Pexip Reverse Proxy and TURN Server before 6.1.0 has Incorrect UDP Access Control via TURN.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity 23
pexip reverse_proxy_and_turn_server 6.0.7
pexip pexip_infinity 23.1
pexip reverse_proxy_and_turn_server 6.0.10
CVE-2020-12824 MEDIUM

Pexip Infinity 23.x before 23.3 has improper input validation, leading to a temporary software abort via RTP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2020-13387 MEDIUM

Pexip Infinity before 23.4 has a lack of input validation, leading to temporary denial of service via H.323.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2020-24615 MEDIUM

Pexip Infinity before 24.1 has Improper Input Validation, leading to temporary denial of service via SIP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2020-25868 MEDIUM

Pexip Infinity 22.x through 24.x before 24.2 has Improper Input Validation for call setup. An unauthenticated remote attacker can trigger a software abort (temporary loss of service).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2021-29655 HIGH

Pexip Infinity Connect before 1.8.0 omits certain provisioning authenticity checks. Thus, untrusted code may execute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-345,

Products Affected

Vendor Product Version
pexip infinity_connect *
CVE-2021-29656 HIGH

Pexip Infinity Connect before 1.8.0 mishandles TLS certificate validation. The allow list is not properly checked.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-295,

Products Affected

Vendor Product Version
pexip infinity_connect *
CVE-2021-31925 MEDIUM

Pexip Infinity 25.x before 25.4 has Improper Input Validation, and thus an unauthenticated remote attacker can cause a denial of service via the administrative web interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2021-32545 MEDIUM

Pexip Infinity before 26 allows remote denial of service because of missing RTMP input validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip infinity *
CVE-2021-33498 MEDIUM

Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip infinity *
CVE-2021-33499 MEDIUM

Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip infinity *
CVE-2021-35969 MEDIUM

Pexip Infinity before 26 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip infinity *
CVE-2021-42555 MEDIUM

Pexip Infinity before 26.2 allows temporary remote Denial of Service (abort) because of missing call-setup input validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip infinity *
CVE-2022-23228 MEDIUM

Pexip Infinity before 27.0 has improper WebRTC input validation. An unauthenticated remote attacker can use excessive resources, temporarily causing denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-25357 MEDIUM

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-26654 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-26655 MEDIUM

Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-26656 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-26657 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27928 MEDIUM

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27929 MEDIUM

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27930 MEDIUM

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via single-sign-on if a random Universally Unique Identifier is guessed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27931 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27932 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27933 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27934 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27935 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27936 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-27937 MEDIUM

Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-400,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-29286 MEDIUM

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2022-32263

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2023-31289

Pexip Infinity before 31.2 has Improper Input Validation for signalling, allowing remote attackers to trigger an abort.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2023-31455

Pexip Infinity before 31.2 has Improper Input Validation for RTCP, allowing remote attackers to trigger an abort.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2023-37225

Pexip Infinity before 32 allows Webapp1 XSS via preconfigured links.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2023-40236

In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N 1.6 3.6

Products Affected

Vendor Product Version
pexip virtual_meeting_rooms *
CVE-2024-33850

Pexip Infinity before 34.1 has Improper Access Control for persons in a waiting room. They can see the conference roster list, and perform certain actions that should not be allowed before they are admitted to the meeting.

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2024-37917

Pexip Infinity before 35.0 has improper input validation that allows remote attackers to trigger a denial of service (software abort) via a crafted signalling message.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-30080

Signalling in Pexip Infinity 29 through 36.2 before 37.0 has improper input validation that allows remote attackers to trigger a temporary denial of service (software abort).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-32095

Pexip Infinity before 37.0 has improper input validation in signalling that allows a remote attacker to trigger a software abort via a crafted signalling message, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-32096

Pexip Infinity 33.0 through 37.0 before 37.1 has improper input validation in signaling that allows an attacker to trigger a software abort, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-48704

Pexip Infinity 35.0 through 37.2 before 38.0 has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-49088

Pexip Infinity 32.0 through 37.1 before 37.2, in certain configurations of OTJ (One Touch Join) for Teams SIP Guest Join, has Improper Input Validation in the OTJ service, allowing a remote attacker to trigger a software abort via a crafted calendar invite, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-59683

Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-66377

Pexip Infinity before 39.0 has Missing Authentication for a Critical Function in a product-internal API, allowing an attacker (who already has access to execute code on one node within a Pexip Infinity installation) to impact the operation of other nodes within the installation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-66378

Pexip Infinity 38.0 and 38.1 before 39.0 has insufficient access control in the RTMP implementation, allowing an attacker to disconnect RTMP streams traversing a Proxy Node.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-66379

Pexip Infinity before 39.0 has Improper Input Validation in the media implementation, allowing a remote attacker to trigger a software abort via a crafted media stream, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *
CVE-2025-66443

Pexip Infinity 35.0 through 38.1 before 39.0, in non-default configurations that use Direct Media for WebRTC, has Improper Input Validation in signalling that allows an attacker to trigger a software abort, resulting in a temporary denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
pexip pexip_infinity *