CVE-2025-47779
published 2025-05-22CVE-2025-47779: Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.42%
33.5th percentile
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | asterisk | < 18.9-cert14 | 18.9-cert14 |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | >= 0 < 1:16.28.0~dfsg-0+deb11u7 | 1:16.28.0~dfsg-0+deb11u7 |
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u7 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u7 (bullseye) |
| sangoma | asterisk | < 18.26.2 | 18.26.2 |
| sangoma | asterisk | >= 20.0.0 < 20.14.1 | 20.14.1 |
| sangoma | asterisk | >= 21.0.0 < 21.9.1 | 21.9.1 |
| sangoma | asterisk | >= 22.0.0 < 22.4.1 | 22.4.1 |
| sangoma | certified_asterisk | < 18.9 | 18.9 |
| sangoma | certified_asterisk | — | — |
| sangoma | certified_asterisk | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2025-47779: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2...
vendor_debian·2025·CVSS 7.7
CVE-2025-47779 [HIGH] CVE-2025-47779: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2...
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and vers
OSV
CVE-2025-47779: Asterisk is an open-source private branch exchange (PBX)
osv·2025-05-22·CVSS 6.5
CVE-2025-47779 [MEDIUM] CVE-2025-47779: Asterisk is an open-source private branch exchange (PBX)
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and vers
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [epel-all]
bugzilla·2025-09-15·CVSS 7.7
CVE-2025-47779 [HIGH] CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [epel-all]
CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
The issue (CVE-2025-47779) is addressed in Asterisk version 18.26.2. The fix is now available via the asterisk-18.26.4 update for EPEL 8 and EPEL 9.
---
FEDORA-EPEL-2026
Bugzilla
CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
bugzilla·2025-09-15·CVSS 7.7
CVE-2025-47779 [HIGH] CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-41]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 41 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 41 on 2025-12-15.
It is Fedo
Bugzilla
CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
bugzilla·2025-09-15·CVSS 7.7
CVE-2025-47779 [HIGH] CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
CVE-2025-47779 asterisk: Using malformed From header can forge identity with ";" or NULL in name portion [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
The issue (CVE-2025-47779) is addressed in Asterisk version 18.26.2. The fix is now available via the asterisk-18.26.4 update for f42/f43/f44.
---
FEDORA-2026-98decbde8
2025-05-22
Published