cbcvebase.
CVE-2024-57520
published 2025-02-05

CVE-2024-57520: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is…

PriorityP346critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.97%
57.5th percentile
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (sid)asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (sid)
sangomaasterisk22.0.0 – 22.5.1

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.