O2 Flaw Let Callers Track Users’ Locations Since 2017

A critical flaw in O2 UK’s Voice over LTE (VoLTE) service exposed the real-time location and device identifiers of its mobile customers during phone calls, according to a recent disclosure. The vulnerability, present since the service’s launch in March 2017, leaked sensitive data—including IMSI, IMEI, and precise cell tower information—via improperly configured SIP headers in the IP Multimedia Subsystem (IMS).

The issue, discovered during routine network analysis using a rooted Google Pixel 8, allowed attackers to pinpoint a user’s location by cross-referencing cell tower data with public databases. The flaw persisted even when 4G Calling was disabled.

O2 patched the vulnerability on May 19, 2025, after multiple failed private disclosure attempts. The exposure stemmed from debug information left active in Mavenir’s Unified Access Gateway. The incident affected up to 23 million users and highlights the risks of misconfigured telecom infrastructure and the lack of streamlined vulnerability reporting channels across providers.