Talos Vulnerability Report


coTURN server unsafe telnet admin portal default configuration vulnerability

January 29, 2018
CVE Number



An exploitable unsafe default configuration vulnerability exists in the TURN server function of coTURN prior to version By default, the TURN server runs an unauthenticated telnet admin portal on the loopback interface. This can provide administrator access to the TURN server configuration, which can lead to additional attacks. An attacker who can get access to the telnet port can gain administrator access to the TURN server.

Tested Versions


Product URLs


CVSSv3 Score

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H


CWE-798: Use of Hard-coded Credentials


coTURN is an open-source implementation of TURN and STUN servers that can be used as a general-purpose networking traffic TURN server. TURN servers are usually deployed in so-called “DMZ” zones — any server reachable by the internet — to provide firewall traversal solutions. Attackers who are able to take over such servers may be able to bypass firewalls and conduct further attacks.

According to Shodawn, thousands of coTURN servers are directly reachable on the internet.

The default options of affected coTURN servers run an unauthenticated telnet admin portal, which provides administrator access to the TURN server configuration.


Run the coTURN server with the following option to disable the telnet portal:

--no-cli					Turn OFF the CLI support. By default it is always ON

Or set up a password:

--cli-password=<password>			CLI access password. Default is empty (no password)


2017-09-04 - Vendor Disclosure
2019-01-28 - Vendor Patched
2019-01-29 - Public Release


Discovered by Nicolas Edet of Cisco.