CVE-2025-47779 — Improper Neutralization of Delimiters in Asterisk

CWE-140 — Improper Neutralization of Delimiters CWE-792 — Incomplete Filtering of One or More Instances of Special Elements6 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 48.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Sangoma Asterisk Sangoma Certified Asterisk +1 more

Timeline

PublishedMay 22

Latest updateSep 15

Description

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDsangoma/certified_asterisk< 18.9+2

▶debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u7 (bullseye)

▶NVDsangoma/asterisk20.0.0 — 20.14.1+3

▶CVEListV5asterisk/asterisk< 18.9-cert14+5

▶Debianasterisk/asterisk< 1:16.28.0~dfsg-0+deb11u7

🔴Vulnerability Details

OSV

CVE-2025-47779: Asterisk is an open-source private branch exchange (PBX)↗2025-05-22

▶

📋Vendor Advisories

Debian

CVE-2025-47779: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2...↗2025

▶

💬Community

Bugzilla

CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [epel-all]↗2025-09-15

▶

Bugzilla

CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]↗2025-09-15

▶

Bugzilla

CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]↗2025-09-15

▶