Security Affairs
222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation|A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach|Telegram-Hosted RedWing Malware Lets Anyone Rent Android Spyware Tools|U.S. CISA adds Adobe ColdFusion, Joomlack Page Builder, Langflow, and JoomShaper SP Page Builder flaws to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Compromising Proxy Call Session Control Function (P-CSCF) using VoLTE

The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call. figure 1 – Placement of Proxy Call Session Control Function in IMS Platform Identify […]

Compromising Proxy Call Session Control Function (P-CSCF) using VoLTE

The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call.

P-CSCF
figure 1 – Placement of Proxy Call Session Control Function in IMS Platform

Identify and Compromise Proxy Call Session Control Function with VoLTE phone:
1) Initiate a call with VoLTE phone and simultaneously open phone’s terminal to list currently established sessions. It was possible to identify the IP address of serving P-CSCF node, connected on port 5060 (figure 2).

P-CSCF
figure 2 – Identifying P-CSCF node connected on port 5060 (SIP protocol)

2) Management console of an application server and Proxy Call Session Control Function application (figure 3 & figure 4) were found by performing a service scan on identified IP address.

P-CSCF
figure 3 – P-CSCF applications’s management console
P-CSCF
figure 4 – Application server’s management console

3) Application server, Oracle Glassfish, was found to be weakly configured and could be accessed using weak credentials (figure 5).

P-CSCF
figure 5 – Access to Oracle Glassfish server using weak credentials

4) A reverse shell was triggered using a web shell and gained root access of the P-CSCF node (figure 6).

P-CSCF
figure 6 – Gained root access to P-CSCF (IMS)

After gaining access to the IMS platform, Attacker can compromise other core telecom components in the network.

To prevent such attacks, telecom operators should ensure traffic segregation between user plane, control plane, and management plane. It is highly recommended to patch all the core network elements with the latest security patches released by the vendor. Also, develop and implement minimum security guidelines before integrating nodes in the network.

Hope you enjoyed reading, suggestions are always welcome.

The original post is available at:
About the Author: Security Researcher Hardik Mehta (@hardw00t)
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Proxy Call Session Control Function, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]