CVE-2026-10629 · SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Clien

01 · The Real Story

This is a deadbolt missing on a hallway that almost nobody in your threat model can physically reach

CVE-2026-10629 is not a classic software bug so much as a carrier-side security design gap: Verizon's VoLTE/IMS signaling path reportedly allows SIP registration and call-control traffic without the normal IMS IPsec integrity protections, specifically missing Security-Client/Security-Server negotiation and follow-on ESP protection. The published CVE record lists the affected product only as Verizon VoLTE with version UNKNOWN, which is a red flag for patch managers because there is no clean host-level version inventory to query or package to deploy. In practice, the exposed population is Verizon IMS/VoLTE sessions where the UE-to-P-CSCF signaling path is operating without integrity protection.

The vendor-style 9.1/CRITICAL score overrates enterprise urgency because it scores impact in a vacuum and ignores the hard prerequisite: the attacker must already be *on path* in a telecom context. That usually means radio-layer positioning, rogue base-station capability, carrier/core access, or another privileged network vantage point; it is not an internet-wide unauthenticated RCE against your servers or laptops. The flaw is real and standards-noncompliant, but for a 10,000-endpoint enterprise it is mostly a mobile-carrier risk to sensitive voice/SMS workflows, not a Monday-morning patch emergency.

"Technically ugly, operationally niche: this needs an on-path telecom attacker, not a random internet scanner."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get telecom-path position

The attacker first needs a man-in-the-middle position between the handset and Verizon's IMS edge, or equivalent visibility inside the operator path. In practice that means a rogue LTE setup such as srsRAN plus SDR gear, compromised carrier infrastructure, lawful-intercept abuse, or another radio/core vantage point that can observe IMS PDN traffic.

Conditions required:

Attacker can observe or influence traffic on the UE-to-P-CSCF path
Target is using Verizon VoLTE/IMS signaling
Victim is in radio range or otherwise traversing attacker-controlled telecom infrastructure

Where this breaks in practice:

This is not reachable from the public internet like a normal enterprise edge service
Radio/cellular-path attacks require specialized equipment, expertise, or insider-level access
Modern enterprise adversaries usually need a prior foothold in telecom infrastructure to do this at scale

Detection/coverage: Traditional vuln scanners will miss this entirely. Detection requires packet capture on a test handset path or carrier-side telemetry proving missing IMS security negotiation.

STEP 02

Confirm missing IMS security negotiation

Using Wireshark or tshark, the attacker inspects SIP REGISTER and related signaling and confirms there are no Security-Client, Security-Server, or Security-Verify headers and no ESP-protected follow-on traffic. That validates that the session is running without the integrity protection expected by 3GPP TS 33.203.

Conditions required:

Visibility into IMS registration or call-setup packets
Victim handset establishes an IMS session during observation window

Where this breaks in practice:

Carrier configuration may vary by device, software build, region, or phased rollout
Some sessions may eventually negotiate protection if Verizon finishes the reported rollout

Detection/coverage: Network IDS content rules can key on SIP headers, but only where defenders can actually see the traffic. Mobile fleet MDM tools generally have no coverage here.

STEP 03

Manipulate SIP signaling

Once the attacker knows the signaling is not integrity-protected, tools like Scapy, SIPp, or direct packet injection can modify or replay SIP messages such as INVITE, BYE, MESSAGE, or registration traffic. The lack of cryptographic integrity means altered signaling may be accepted as authentic if transport-path control is maintained.

Conditions required:

Attacker remains on path long enough to inject or tamper with SIP messages
Session endpoints accept modified signaling without additional carrier-side checks

Where this breaks in practice:

Timing matters; telecom signaling windows are short and protocol behavior is finicky
Carrier policy, NAT behavior, retransmissions, and handset quirks can break exploit reliability
This is far harder than dropping a canned HTTP exploit at scale

Detection/coverage: Look for anomalous SIP dialog changes, repeated registration churn, unexpected BYE/MESSAGE patterns, or mismatched call-detail records versus user reports.

STEP 04

Abuse call or messaging trust

Successful tampering can expose call metadata, influence routing, inject signaling content, or terminate sessions. The impact is primarily on the confidentiality and integrity of mobile voice/SMS signaling rather than remote code execution or domain-wide host takeover.

Conditions required:

Victim relies on native carrier voice/SMS over affected IMS path
Business process depends on trust in cellular signaling

Where this breaks in practice:

Blast radius is bounded to the victim session, subscriber set, or local telecom vantage
Many enterprises already use end-to-end encrypted apps for high-risk conversations, reducing practical damage

Detection/coverage: End-user complaints, telecom troubleshooting traces, and carrier escalation are the main paths. Endpoint EDR will not meaningfully detect this.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public evidence of active exploitation found as of 2026-06-02. The CVE's CISA ADP SSVC enrichment says `Exploitation: none` in the official CVE JSON.
KEV status	Not listed in CISA KEV as of 2026-06-02. This materially lowers urgency versus internet-facing bugs with confirmed abuse.
Proof-of-concept availability	No public exploit repo or Metasploit/Nuclei coverage found for this CVE. Exploitation would likely use generic telecom tooling such as `srsRAN`, SDR hardware, `Wireshark`, and SIP injection tools rather than a drop-in CVE script.
EPSS	No EPSS score was located for this freshly published CVE on public FIRST sources at assessment time; treat exploit-likelihood scoring as unavailable, not zero.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` maps to severe technical impact, but it hides the real-world prerequisite that the attacker must be on the telecom path.
Affected versions	Official CVE data lists Verizon VoLTE / version UNKNOWN. Operationally, think affected IMS/VoLTE signaling paths rather than a neat software version range.
Fixed version	No authoritative fixed version or patch build is published. The Vista/CERT-style write-up says Verizon indicated integrity support is available on request and broader rollout would begin later in 2026, but that is not the same as a published patch baseline.
Scanning / exposure data	This is not meaningfully Shodan/Censys-style internet exposure. The attack surface lives on the IMS PDN / UE-to-P-CSCF signaling path, so external asset scanners will underreport or completely miss it.
Disclosure date	Published 2026-06-02 in the official CVE record.
Reporting / coordination	The CVE was assigned by CERT/CC (`certcc`). The public write-up cites researcher observation of live traffic but does not provide a clean named-researcher attribution in the official CVE JSON.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.8/10)

The decisive downgrading factor is the attacker position requirement: this is an *on-path telecom attack*, not an internet-reachable enterprise software exploit. Even though the integrity gap is serious in protocol terms, the reachable attacker population is narrow and the blast radius is tied to mobile signaling sessions rather than broad host compromise.

HIGH Vendor CVSS materially overstates enterprise patch urgency

MEDIUM Public facts on exact rollout/fix status across Verizon subscribers

MEDIUM Assessment that most enterprises cannot directly remediate this at host level

Why this verdict

Requires telecom-path access: moving from AV:N on paper to *real* exploitability, the attacker needs rogue radio/core/on-path capability, which is a massive downward pressure versus ordinary public-edge flaws.
Not enterprise-scannable or internet-exposed: this does not present like a public web login, VPN, or exposed management port across 10,000 hosts.
No active exploitation / no KEV / no public PoC: absent real-world abuse evidence, there is no reason to honor the vendor's CRITICAL label at face value.
Blast radius is session-level signaling trust: bad for voice/SMS integrity, but not a turnkey path to domain admin, ransomware spread, or fleet-wide code execution.
No defender-controlled patch object: the affected component is a carrier IMS deployment with version UNKNOWN, so this is more vendor-risk governance than endpoint patch operations.

Why not higher?

A higher rating would make sense only if this were broadly reachable by ordinary remote attackers or already under active exploitation. Instead, every practical path starts with a rare and expensive prerequisite: telecom on-path control. That sharply constrains both who can do it and how often it will matter to a typical enterprise fleet.

Why not lower?

This is not harmless paperwork. If the published observations are accurate, core security properties for carrier voice/SMS signaling are missing, and a capable attacker could tamper with or observe sensitive communications. Organizations with executives, journalists, field responders, or other high-risk mobile users should care even if this is not a patch fire drill.

05 · Compensating Control

What to do — in priority order.

Move sensitive mobile comms off native carrier SMS/voice — For high-risk users, prefer end-to-end encrypted messaging/calling apps for sensitive discussions so compromise of IMS SIP signaling has less operational value. Because this is a LOW verdict, there is no SLA (treat as backlog hygiene), but high-risk user groups should be migrated on the next normal mobility/security review cycle.
Escalate to your Verizon account team — Ask for written confirmation of whether your subscriber base has IMS IPsec integrity enabled, what rollout date applies, and how they validate Security-Client/Security-Server plus ESP in production. There is no SLA (treat as backlog hygiene) for LOW findings, but carrier attestation should be collected as part of vendor-risk management.
Validate with packet capture on a test device — Capture IMS registration/call setup from representative Verizon devices and verify whether security negotiation headers and ESP appear. For a LOW verdict there is no SLA (treat as backlog hygiene), but this is the only practical way to distinguish a stale advisory from a fixed rollout.
Segment high-risk use cases to Wi-Fi calling or managed alternatives — Where policy allows, steer executives or incident responders toward managed communication paths with stronger enterprise control and logging. There is no SLA (treat as backlog hygiene), but this reduces dependency on opaque carrier signaling trust.

What doesn't work

EDR on laptops and servers: it cannot see or block missing IMS security negotiation inside the carrier signaling path.
Routine vulnerability scanning: Nessus/Qualys-style scanners do not have a versioned package or reachable service to test here.
MFA: valuable generally, but irrelevant to a carrier-side SIP integrity gap.
Patching the handset OS alone: the public reporting suggests the core issue is network-side enforcement and negotiation, not just a missing app update on the phone.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation that has tshark installed, against a packet capture taken from a test handset's IMS/VoLTE session on Verizon. Invoke it as python3 verify_cve_2026_10629.py capture.pcapng; no root is needed to analyze an existing pcap, but capturing the traffic may require privileged access or mobile lab tooling.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# verify_cve_2026_10629.py
# Check a pcap for signs of missing IMS SIP security negotiation / ESP protection.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=tool/runtime error

import shutil
import subprocess
import sys
from pathlib import Path

TSHARK = shutil.which('tshark')

if TSHARK is None:
    print('UNKNOWN - tshark not found in PATH')
    sys.exit(2)

if len(sys.argv) != 2:
    print(f'Usage: {Path(sys.argv[0]).name} <capture.pcap|pcapng>')
    sys.exit(2)

pcap = Path(sys.argv[1])
if not pcap.exists():
    print(f'UNKNOWN - file not found: {pcap}')
    sys.exit(2)

try:
    # Pull SIP methods and relevant IMS security headers if present.
    sip_cmd = [
        TSHARK, '-r', str(pcap), '-Y', 'sip', '-T', 'fields',
        '-E', 'separator=|', '-E', 'occurrence=f',
        '-e', 'frame.number',
        '-e', 'sip.Method',
        '-e', 'sip.Security.client',
        '-e', 'sip.Security.server',
        '-e', 'sip.Security.verify',
    ]
    sip_out = subprocess.run(sip_cmd, capture_output=True, text=True, check=False)

    if sip_out.returncode != 0:
        print('UNKNOWN - tshark failed while parsing SIP traffic')
        sys.exit(3)

    # Count ESP packets in the capture.
    esp_cmd = [TSHARK, '-r', str(pcap), '-Y', 'esp', '-T', 'fields', '-e', 'frame.number']
    esp_out = subprocess.run(esp_cmd, capture_output=True, text=True, check=False)
    if esp_out.returncode != 0:
        print('UNKNOWN - tshark failed while parsing ESP traffic')
        sys.exit(3)

    sip_lines = [ln for ln in sip_out.stdout.splitlines() if ln.strip()]
    esp_lines = [ln for ln in esp_out.stdout.splitlines() if ln.strip()]

    if not sip_lines:
        print('UNKNOWN - no SIP traffic found in capture')
        sys.exit(2)

    saw_register = False
    saw_security_header = False

    for line in sip_lines:
        parts = line.split('|')
        # frame|method|sec-client|sec-server|sec-verify
        while len(parts) < 5:
            parts.append('')
        _, method, sec_client, sec_server, sec_verify = [p.strip() for p in parts[:5]]

        if method.upper() == 'REGISTER':
            saw_register = True

        if sec_client or sec_server or sec_verify:
            saw_security_header = True

    esp_count = len(esp_lines)

    # Heuristic decision logic:
    # PATCHED if we see IMS security negotiation headers and any ESP traffic.
    # VULNERABLE if we see SIP REGISTER but no security headers and no ESP.
    # UNKNOWN otherwise.
    if saw_security_header and esp_count > 0:
        print('PATCHED - observed IMS security headers and ESP traffic')
        sys.exit(0)

    if saw_register and (not saw_security_header) and esp_count == 0:
        print('VULNERABLE - observed SIP REGISTER without IMS security headers and without ESP traffic')
        sys.exit(1)

    print('UNKNOWN - incomplete evidence; capture may be partial or environment may vary by device/network state')
    sys.exit(2)

except Exception as exc:
    print(f'UNKNOWN - runtime error: {exc}')
    sys.exit(3)

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not throw emergency patch capacity at this like it is another edge RCE. Treat it as a mobile-carrier trust issue: identify high-risk Verizon-dependent user groups, shift sensitive communications toward end-to-end encrypted apps, and obtain written carrier status on IMS integrity rollout. Because the reassessed verdict is LOW, there is noisgate mitigation SLA and noisgate remediation SLA does not apply like a normal patch cycle; treat this as backlog hygiene plus vendor-risk follow-up, and document your rationale unless your threat model includes telecom-capable adversaries.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.