Eltex SMG Series Hybrid IP Platform

2025: Addressing a pre-auth RCE class vulnerability

PT SWARM expert Nikita Petrov discovered vulnerability with a critically high level of danger in five devices. Eltex Positive Technologies announced this on May 28, 2025. According to to data the organization, more than 20 thousand companies in and abroad use its solutions Russia. In the event of a successful exploitation of a security flaw, an attacker could hypothetically establish full control over the attacked system for further development. attacks The vendor fixed the vulnerability after notification under the responsible disclosure policy and recommends that companies update the built-in. ON

The vulnerability BDU:2025-01096 received 9.8 points on the CVSS 3.0 scale, which means a critical level of danger. The resolved error belongs to the pre-auth RCE class (executing arbitrary commands on behalf of an unauthenticated user). The defect, presumably, could allow an attacker to seize the system to achieve their goals, including to implement a supply chain attack.

The disadvantage was contained in trunk gateways SMG-1016M, SMG-2016, SMG-3016, as well as in two models of automatic telephone exchanges (PBXs) operating on the basis of the Internet protocol IP- SMG-200 and SMG-500. Users should update devices to version 3.23.1 or 3.405.1 as soon as possible, depending on the equipment model. A researcher from Positive Technologies also recommends removing vulnerable equipment from the external perimeter of the organization.

{{quote 'Vulnerability BDU:2025-01096 hypothetically could allow an attacker to act on a variety of scenarios without authentication. For example, implement a backdoor to maintain access to the system even after the error is corrected. If the device were located on the external perimeter of the organization, the attack could develop into an internal network. In some cases, there could even be a risk of violation of business processes, - said Nikita Petrov, senior specialist of the penetration testing department in the security analysis department of Positive Technologies. - OS commands, which could be performed by the offender, would depend on the goals pursued by him. For example, to gain a foothold on the attacked node, an attacker could add his SSH key. }}

Eltex recommends using SMG devices on a public network only if additional security tools are available, such as network traffic analysis tools.

2019

Office IP PBX SMG-200

To connect a PBX designed for 50-200 employees, ELTEX offers a solution consisting of the following equipment:

1. The office IP PBX SMG-200 supports up to 200 subscribers. 16 RJ-11 ports can be used to connect analog telephones (FXS) and/or city lines (FXO). LAN ports are designed to connect to carrier networks using SIP trunks and/or H.323 trunks, as well as to connect VoIP gateways (for example, TAU-24 with support for 24 FXS ports) to increase the number of FXS/FXO ports. Conversation records and CDR files are stored on an SD card or USB drive. It is also possible to automatically upload files to an FTP server.

To connect an office PBX designed for 200-500 employees, ELTEX offers a solution consisting of the following equipment:

1. Office IP PBX SMG-500, designed for a capacity of 250 to 500 subscribers. Ye1 and/or SIP/H.323 trunk ports can be used to connect to the PSTN. Analog telephones are connected to the SMG-500 through subscriber VoIP gateways, IP telephones - through a data network. Conversation records and CDR files are stored on an SD card or USB drive. It is also possible to automatically upload files to external media and to an FTP server.

2. A managed MES2324 access switch provides physical stacking, support for VLANs, multicast distribution groups, and advanced security features.

3. The multi-port VoIP subscriber gateway is TAU-24.IP designed to transmit voice and fax information over IP networks. The gateway provides subscribers with high-quality telephone communication.

4. The VP-12 IP phone is a modern solution for connecting employees to the IP telephony network.

Advantages of ELTEX solutions:

• A modern system with support for expansion to 200 and 500 subscribers with the prospect of increasing the number of employees without changing equipment.
• Centralized management of the number plan, subscriber services, access rights, etc., through the Web interface.
• Support for a wide range of modern services (voice mail, group alerts, conferences, complex forwarding, etc.).
• Call center capability for call service.
• Continuous availability of telephony. Access to the city network can be arranged both through analog FXO trunks and via SIP trunks and/or H.323 trunks, including having several channels at the same time. The channels used to access the telephone network are very flexible.
• Call security - local conversations take place inside the system and do not go beyond the boundaries of the office network (unlike cloud PBXs), you can also organize recording of conversations without purchasing additional equipment.
• Telephone savings. Access to the city network can be carried out through channels/operators that are more profitable financially.
• Business security - the equipment belongs to the company, so there is no dependence on the availability of an Internet connection, the disappearance of a cloud operator.

Yealink IP Phone Compatibility

On May 13, 2019, ELTEX reported confirming the compatibility of Yealink phones with ECSS-10 and SMG products. Read more here.

SMG-3016

On April 12, 2019, ELTEX"" announced the development of a hybrid SMG-3016 platform supporting up to 3,000 subscribers. The platform can act both as a trunk gateway that provides PSTN (Ye1) signals and media flows interfacing VoIP with networks, and as IP a trunk gateway AUTOMATIC TELEPHONE EXCHANGE with the ability to pass SORM under Orders No. 70 and No. 268.

Eltex Hybrid Platform SMG-3016

According to the developer, thanks to the wide functionality and a range of tasks to be solved, this platform will be of interest both for corporate clients and for government agencies. The possibility of registering subscribers directly at the gateway itself for the provision of telephony services and delivery of SORM according to orders No. 70 and No. 268, according to the developer, optimizes the cost of building a telephone network, and the ability to reserve the device both by power supply and by Master-Slave scheme increases the reliability of the system as a whole.

The device has a Quad-Core ARMv8 64bit processor, supports up to 768 spoken channels and provides simultaneous operation of up to 16 Ye1 streams. Call processing performance reaches 120 CPS. High fault tolerance is SMG-3016 achieved by supporting two power supplies (48V DC or 220V AC) and operation in 1 + 1 lightweight standby mode with the ability to reserve both IP connections and E1 streams, noted in Eltex.

Management interfaces:

• RS-232 console port (RJ-45) for CLI access;
• Dedicated Ethernet port OOB 1G (RJ-45) to access WEB/SSH.

Ethernet interfaces:

• Two 1G ports (RJ-45);
• Two 1G combo ports (SFP/RJ-45).

TDM interfaces:

• 16 E1 ports (RJ-48)
• Two external synchronization inputs.

Connecting external drives:

• Two 2.5 "slots; SATA HDD
• Two USB 2.0 connectors.

Eltex plans to launch a trunk gateway for mass production in the third quarter of 2019.

2017: SMG-1016M

As of January 26, 2017, SMG-1016M is a trunk gateway for pairing TDM and VoIP signal and media streams, IP-PBX with support for DVO and SORM functions.

The technology can be a universal solution for creating infocommunication communication networks. Wide functionality, compliance with standards and reliability of the operator class allow solving most of the tasks that arise from operators and service providers on the basis of SMG-1016M.

SMG-1016M, (2016)

SMG-1016M makes it possible to evenly distribute investments for scaling during the entire project implementation period. The supports 4 to 16 Ye1 streams (OKS7 PRI) and 128 to 768 VoIP channels .

The high level of fault tolerance of the SMG-1016M trunk gateway is ensured by:

• Marvell chip,
• uniform load distribution between sub-modules,
• redundancy of power supplies,
• using modern parallel computing technologies
• automatic switchover to the standby module in case of failure of any sub-module of the system, power supply module.

Compliance with the requirements of modern protocols, recommendations and standards ensures 100% interoperability of SMG-1016M with equipment:

• digital PBXs,
• IP PBX,
• software switches,
• VoIP gateways,
• SIP phones,
• SIP software clients
• other equipment.

Hardware transcoding based on Mindspeed Technologies media codecs allows you to coordinate media streams with various VoIP codecs that are used in modern communication networks.

Additional options for the SMG-1016M gateway allow you to use it as a fully functional IP PBX with the ability to register up to 2000 SIP components, provide a wide set of DVO for 1000 SIP components, and full compliance with the requirements of regulatory documents for. SORM The IP-PBX software module ECSS-10 developed on the basis of the Erlang functional programming language, designed to create reliable high-load operator-level systems. The availability of all types of certificates for the ECSS-10 family of products allows you to use the IP-PBX ECSS-10 based on the trunk gateway SMG-1016M as a PBX of any level with subsequent acceptance by the and authorities. Federal Information Technologies Agency FSB

The trunk gateway SMG-1016M provides intelligent protection against unauthorized external connections of SIP subscribers (fail2ban, iptables, white/black lists, etc.). For additional protection, when connecting to public IP networks, compatibility is provided with border session controllers (for example, SBC-1000) that perform firewall functions for VoIP networks.

Intelligent routing of calls based on the responses of the billing system using the RADIUS protocol allows you to build flexible rules for call processing.