{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/615987#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview \r\nVoLTE deployments on Verizon’s IMS network have operated without negotiated SIP integrity protection. In observed test conditions, SIP signaling—including registration, call setup, and messaging—traveled without IPsec ESP encapsulation and without SIP Security Agreement headers, exposing it to interception and modification by on-path attackers.\r\n\r\nRecent carrier configuration updates, including Apple’s iOS 26.5 carrier bundle released on May 11, 2026, include IMS IPsec–related settings. However, such configuration entries do not confirm active deployment, successful negotiation, or functional protection in production.\r\n\r\n### Description\r\n**CVE-2026-10629**\r\nVerizon IMS deployments were observed transmitting SIP signaling without integrity protection. REGISTER exchanges lacked Security-Client, Security-Server, and Security-Verify headers, and no ESP-encapsulated SIP traffic was detected during subsequent signaling such as INVITE, MESSAGE, BYE, and UPDATE. This pattern persisted across devices, operating systems, and network conditions, indicating a deliberate network configuration rather than a transient issue.\r\n\r\nPer 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF must be protected using IPsec ESP following IMS AKA authentication, with negotiation occurring during registration. The absence of this protection allows attackers to manipulate SIP signaling undetected, enabling call hijacking, spoofing, denial-of-service, and misrouting of emergency calls.\r\n\r\nVerizon initially acknowledged the issue and stated that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination, including follow-up discussions and draft review, and has not provided verifiable evidence of mitigation. As remediation remains unconfirmed, this disclosure proceeds to inform users of an ongoing security exposure.\r\n\r\nIndependent verification would require observation of successful SIP security negotiation, ESP-protected traffic, or official confirmation from Verizon.\r\n\r\n### Impact\r\nWithout integrity protection, on-path attackers can intercept, replay, or alter SIP messages with no risk of detection. This undermines core VoLTE security assumptions and enables signaling spoofing, call disruption, and manipulation of emergency routing.\r\n\r\nAlthough recent configuration changes suggest potential progress, their operational status remains unverified. Until protections are confirmed, the risk persists.\r\n\r\n### Solution\r\nRemediation requires coordinated network and device-side changes. Verizon must enable and enforce SIP security negotiation and ESP protection in its IMS core infrastructure, and devices must receive and apply correct carrier configuration to support IPsec.\r\n\r\nVerification should confirm successful SIP security negotiation and ESP-protected signaling, either through observed headers, traffic capture, or operator confirmation.\r\n\r\nUntil then, organizations relying on high-assurance VoLTE should treat signaling as untrusted\r\n\r\n### Acknowledgements\r\nThe authors thank DongWon Lee, Jeongmin Choi, and CheolJun Park from Kyung Hee University for their technical analysis, coordination efforts, and identification of the iOS 26.5 configuration updates. Their work has advanced understanding of this issue and ensured disclosures remain grounded in observable evidence.\r\nThis report was prepared by Timur Snoke, with AI-assisted drafting to support clarity and accuracy.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"After reviewing the issue you raised, it appears the GSMA and 3GPP provisions you referenced are not mandatory, allowing carriers the flexibility to adopt the protocols at their discretion.  Verizon takes the integrity of its network very seriously and appreciates your outreach and concern with regard to this issue.","title":"Vendor statment from Verizon"},{"category":"other","text":"CERT/CC notes that the reporter disputed Verizon’s characterization of the referenced GSMA and 3GPP provisions as “not mandatory.” The reporter cited 3GPP TS 33.203 Sections 6.1.2–6.1.3 and GSMA IR.92 Clauses 7.3 and 14.3, which describe mandatory IMS/VoLTE signaling protection requirements involving IPsec integrity protection for SIP signaling.\r\n\r\nThe reporter further asserted that GSMA certification processes for VoLTE interoperability and deployment rely on compliance with these specifications. According to the report, observed network behavior indicating the absence of SIP Security headers and ESP traffic may be inconsistent with those specifications or may indicate the use of alternative compensating controls that were not disclosed during coordination.\r\n\r\nVerizon did not provide additional technical details regarding compensating security mechanisms or clarify which specific provisions it considered optional within the context of the reported behavior.","title":"CERT/CC comment on Verizon notes"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/615987"},{"url":"https://www.3gpp.org/DynReport/33203.htm","summary":"https://www.3gpp.org/DynReport/33203.htm"},{"url":"https://www.gsmaindex.com/standards/IR.92","summary":"https://www.gsmaindex.com/standards/IR.92"},{"url":"https://datatracker.ietf.org/doc/html/rfc5247","summary":"https://datatracker.ietf.org/doc/html/rfc5247"},{"url":"https://datatracker.ietf.org/doc/html/rfc3329","summary":"https://datatracker.ietf.org/doc/html/rfc3329"}],"title":"Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE Deployments","tracking":{"current_release_date":"2026-06-02T17:27:49+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.42"}},"id":"VU#615987","initial_release_date":"2026-06-02 14:27:25.480924+00:00","revision_history":[{"date":"2026-06-02T17:27:49+00:00","number":"1.20260602172749.4","summary":"Released on 2026-06-02T17:27:49+00:00"}],"status":"final","version":"1.20260602172749.4"}},"vulnerabilities":[{"title":"SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network.","notes":[{"category":"summary","text":"SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network."}],"cve":"CVE-2026-10629","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#615987"}],"product_status":{"known_not_affected":["CSAFPID-7da40360-5eab-11f1-8c68-0afff74df6a7"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Verizon","product":{"name":"Verizon Products","product_id":"CSAFPID-7da40360-5eab-11f1-8c68-0afff74df6a7"}}]}}