Certificate Management Vulnerability in Sennheiser HeadSetup


Oct 29, 2004
The Sennheiser HeadSetup SDK supports the use of a locally connected headset by webbased softphones in a browser, loaded from a server web site via HTTPS.
According to [Senn2018], the way HeadSetup supports this application scenario is by opening a local secure web socket (WSS) through which the headset can be accessed from within the browser.
According to Sennheiser, the browser must be able to access this local web socket through a trusted HTTPS connection in order to bypass cross origin resource sharing (CORS) restrictions implemented by relevant browsers. Hence, the HeadSetup SDK needs a locally trusted TLS server certificate issued to the localhost IP address1 ( and the associated private key.