CVE-2025-47780

Summary

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring cli_permissions.conf (e.g. with the config line deny=!*) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the cli_permissions.conf file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

Affected Software

VendorProductVersion RangeStatus
asteriskasterisk< 18.9-cert14affected
asteriskasterisk>= 18.10, < 18.26.2affected
asteriskasterisk>= 20.0, < 20.7-cert5affected
asteriskasterisk>= 20.8, < 20.14.1affected
asteriskasterisk>= 21.0, < 21.9.1affected
asteriskasterisk>= 22.0, < 22.4.1affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References