CISA issues update on missing IPsec integrity for Verizon IMS SIP signaling

Verizon VoLTE deployments on its IMS network implement SIP signaling without IPsec-based integrity protection, which results in SIP messages being sent without cryptographic integrity guarantees. The issue affects SIP signaling used for registration, call setup, and messaging, enabling on-path manipulation of those messages without detection by the UE or the IMS core.

The vulnerability is identified as CVE-2026-10629. The SIP signaling stack in Verizon IMS (unspecified version) omits IPsec integrity protection, including missing Security-Client and Security-Server headers and the absence of ESP traffic. Observations over several weeks on Verizon’s network showed no use of SIP Security Agreement headers during the REGISTER exchange, and post-registration SIP traffic—including INVITE, MESSAGE, BYE, and UPDATE—traversed the network in plaintext over standard UDP/TCP, with no ESP encapsulation. The advisory states that 3GPP TS 33.203 and GSMA IR.92 require SIP signaling between the UE and P-CSCF to be protected using IPsec ESP with mandatory integrity following IMS AKA authentication, negotiated via SIP Security Agreement headers (Security-Client, Security-Server, Security-Verify) during registration, producing integrity-protected ESP traffic for subsequent signaling messages.

With SIP signaling lacking IPsec integrity protection, on-path attackers can intercept, modify, replay, or inject SIP messages without detection. The advisory says this enables call hijacking, spoofing of SMS-over-IMS, denial-of-service through forged BYE or CANCEL, and manipulation of emergency call routing, without requiring compromise of the UE, SIM, or backend infrastructure. It also states that modifications go unnoticed by both the UE and the IMS core, undermining core security assumptions of VoLTE.

Until Verizon fully mitigates the vulnerability, the advisory says users and enterprises should assume VoLTE signaling is untrusted for high-assurance operations. In addition, the advisory includes a statement attributed to Verizon on [insert date] that integrity support is “currently available at their request” and will be extended to all UEs “starting later this year,” while also noting that there is no evidence yet that Verizon has modified its network to enforce IPsec or that any device-side configuration change is functionally operational in production deployments.

Guidance in the advisory also references 3GPP TS 33.203 and GSMA IR.92 as the basis for the expected protection model for IMS SIP signaling, and it describes that the SIP Security Agreement headers (Security-Client, Security-Server, Security-Verify) are intended to negotiate IPsec ESP integrity during registration. It further states that observations on Verizon’s network found no such headers in use and no ESP traffic for subsequent signaling messages.

Netskope and Glasswing detail Claude Mythos Preview vulnerability work

Netskope One AI Command Center details AI inventory, mapping

JupiterOne launches Continuous Controls Monitoring