Twilio

An unauthenticated remote attacker can leverage a missing authorization vulnerability (CWE-862) in the Pipecat development runner's `/ws` WebSocket endpoint to supply a crafted `callSid` in a handshake message, compelling the server to use its configured Twilio, Telnyx, or Plivo credentials to issue authenticated API requests that terminate active calls, resulting in denial of service and credential abuse.

Talos has begun tracking phone numbers in emails as indicators of compromise, revealing insights into their reuse in scam campaigns where attackers use API-driven VoIP services for cost-effective operations, rotating phone number blocks to evade security filters, and maximizing reach by recycling numbers across diverse lures.