CVE-2025-47780 — OS Command Injection in Asterisk

CWE-78 — OS Command Injection3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.6%

top 31.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Sangoma Asterisk Sangoma Certified Asterisk +1 more

Timeline

PublishedMay 22

Description

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to w…

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages5 packages

▶NVDsangoma/certified_asterisk< 18.9+2

▶debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u7 (bullseye)

▶NVDsangoma/asterisk20.0.0 — 20.14.1+3

▶CVEListV5asterisk/asterisk< 18.9-cert14+5

▶Debianasterisk/asterisk< 1:16.28.0~dfsg-0+deb11u7

🔴Vulnerability Details

OSV

CVE-2025-47780: Asterisk is an open-source private branch exchange (PBX)↗2025-05-22

▶

📋Vendor Advisories

Debian

CVE-2025-47780: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2...↗2025

▶