CVE-2025-1131

Summary

A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions.

Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.

Affected Software

VendorProductVersion RangeStatus
AsteriskAsteriskAsterisk <=18.26.2affected
AsteriskAsteriskAsterisk <= 20.15.0affected
AsteriskAsteriskAsterisk <= 21.10.0affected
AsteriskAsteriskAsterisk <= 22.5.0affected

Weaknesses

  • CWE-427: CWE-427 Uncontrolled Search Path Element

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References