Published: July 7, 2026 | Last Modified: July 7, 2026
On 2015-09-14, Marcello Duarte disclosed a vulnerability in FreeSWITCH on the Bugtraq mail list. This was assigned CVE-2015-7392 which reads: Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse. After investigation, Tenable found that this description is not fully accurate, and that the issue was not properly patched. It is still possible to trigger a heap overflow via crafted JSON in FreeSWITCH from version 1.4.4 to 1.6.2 (current), and 1.7.0 (development). Further, the original CVE entry only mentions exploitation in the third-party Event Socket library, but there are at least three other vectors of exploitation of the same (or similar) vulnerability in FreeSWITCH itself, one native to FreeSWITCH itself: FreeSWITCH command line via the "json" command (switch_json.c, local). Executing the FreeSWITCH command "json" via an Event Socket library connection to the Event Socket module (switch_json.c, local by default, remote potentially). Sending crafted JSON to the Verto module multicast listener (switch_json.c, remote). Malformed / malicious JSON traffic from the server to an ESL client (esl_json.c, remote and may require MitM) The original Bugtraq disclosure indicates that the vulnerability was patched on September 14, 2015, and it is associated with a Jira ticket (inaccessible to the general public).
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.