CVE-2006-3524

SIPfoundry sipXtapi <20060324 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2006-3524. PoCs published by Metasploit, Michael Thumann, including Metasploit module exploits/windows/sip/aim_triton_cseq.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in SIPfoundry sipXphone 2.6.0.27 by sending an overly long CSeq value via UDP, leading to arbitrary code execution.

Description

Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE message.

Exploits (7)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16352

This Metasploit module exploits a buffer overflow in SIPfoundry sipXphone 2.6.0.27 by sending an overly long CSeq value via UDP, leading to arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SIPfoundry sipXphone 2.6.0.27
No auth needed
Prerequisites: Network access to the target on UDP port 5060
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16351

This Metasploit module exploits a buffer overflow in SIPfoundry's sipXezPhone 0.35a by sending a maliciously crafted SIP INVITE request with an overly long CSeq header, leading to arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SIPfoundry sipXezPhone 0.35a
No auth needed
Prerequisites: Network access to the target on UDP port 5060
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16353

This exploit targets a buffer overflow in AIM Triton 1.0.4 by sending a maliciously crafted SIP INVITE request with an overly long CSeq value, leading to arbitrary code execution via SEH overwrite.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AIM Triton 1.0.4
No auth needed
Prerequisites: Network access to the target on UDP port 5061 · AIM Triton 1.0.4 installed and running
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Michael Thumann · perldoshardware
https://www.exploit-db.com/exploits/2000

This Perl script exploits a remote buffer overflow in sipXtapi by sending a maliciously crafted SIP INVITE packet to UDP port 5060. The exploit overwrites the EIP register with a controlled pattern, demonstrating the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: sipXtapi (version not specified)
No auth needed
Prerequisites: Network access to UDP port 5060 on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/sip/aim_triton_cseq.rb

This Metasploit module exploits a buffer overflow in AIM Triton 1.0.4 by sending a maliciously crafted SIP INVITE request with an overly long CSeq value, leading to arbitrary code execution. The exploit leverages SEH overwrites and includes a payload delivery mechanism.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: AIM Triton 1.0.4
No auth needed
Prerequisites: Network access to target on UDP port 5061 · Target running AIM Triton 1.0.4
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/sip/sipxezphone_cseq.rb

This Metasploit module exploits a buffer overflow in SIPfoundry's sipXezPhone 0.35a by sending a maliciously crafted SIP INVITE request with an overly long CSeq header, leading to arbitrary code execution. The exploit uses a UDP-based attack vector and includes SEH (Structured Exception Handler) bypass techniques to achieve reliable exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SIPfoundry sipXezPhone 0.35a
No auth needed
Prerequisites: Network access to the target on UDP port 5060 · Target running sipXezPhone 0.35a
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/sip/sipxphone_cseq.rb

This Metasploit module exploits a buffer overflow in SIPfoundry sipXphone 2.6.0.27 by sending a maliciously crafted SIP INVITE request with an overly long CSeq value, leading to arbitrary code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SIPfoundry sipXphone 2.6.0.27
No auth needed
Prerequisites: Network access to the target on UDP port 5060
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2735
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27122
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20997
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27681
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047794.html
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047757.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18906
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440135/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016455
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/439617/100/0/threaded

Scores

EPSS 0.6699
EPSS Percentile 99.2%

Details

Status published
Products (1)
sipfoundry/sipxtapi
Published Jul 12, 2006
Tracked Since Feb 18, 2026