cbcvebase.
CVE-2019-18610
published 2019-11-22

CVE-2019-18610: An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
29.64%
98.0th percentile
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:16.10.0~dfsg-1 (bullseye)asterisk 1:16.10.0~dfsg-1 (bullseye)
debiandebian_linux
debiandebian_linux
digiumasterisk>= 0 < 1:16.10.0~dfsg-11:16.10.0~dfsg-1
digiumasterisk>= 13.0.0 < 13.29.213.29.2
digiumasterisk>= 16.0.0 < 16.6.216.6.2
digiumasterisk>= 17.0.0 < 17.0.117.0.1
digiumcertified_asterisk

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/
commandAction: Originate
snort
alert tcp any any -> any any (msg:"ET EXPLOIT Sangoma Asterisk Originate AMI RCE (CVE-2019-18610) (PoC Based)"; content:"Action|3a 20|Originate"; nocase; distance:0; fast_pattern; content:"Data|3a|"; nocase; distance:0; content:"|20|/tmp/"; nocase; within:45; reference:cve,2019-18610; classtype:attempted-admin; sid:2035014; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_18610, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_28;)
  • Detect AMI traffic containing 'Action: Originate' combined with a 'Data:' field referencing /tmp/ — this pattern matches the PoC exploit for CVE-2019-18610 where a crafted Originate AMI request is used to execute arbitrary system commands.
  • The vulnerability is in manager.c; monitor AMI sessions for authenticated users without 'system' authorization issuing Originate requests with shell command payloads in the Data field.
  • ·The Snort/ET rule is described as PoC-based, meaning it targets known proof-of-concept exploit patterns (specifically /tmp/ paths in the Data field) and may not catch all variants of exploitation.
  • ·The vulnerability affects Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4; ensure patching to at least 1:16.10.0~dfsg-1 (Debian) or equivalent upstream fix per AST-2019-007.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.