cbcvebase.
CVE-2026-23741
published 2026-02-06

CVE-2026-23741: Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.17%
7.0th percentile
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Affected

13 ranges
VendorProductVersion rangeFixed in
asteriskasterisk< 23.2.223.2.2
asteriskasterisk< 22.8.222.8.2
asteriskasterisk< 21.12.121.12.1
asteriskasterisk< 20.18.220.18.2
asteriskasterisk< 20.7-cert920.7-cert9
asteriskasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u91:16.28.0~dfsg-0+deb11u9
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u9 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u9 (bullseye)
sangomaasterisk< 20.18.220.18.2
sangomaasterisk>= 21.0.0 < 21.12.121.12.1
sangomaasterisk>= 22.0.0 < 22.8.222.8.2
sangomaasterisk>= 23.0.0 < 23.2.223.2.2
sangomacertified_asterisk<= 18.9
sangomacertified_asterisk

Detection & IOCsextracted from sources · hover to see the quote

path/etc/asterisk/ast_debug_tools.conf
pathasterisk/contrib/scripts/ast_coredumper
  • Monitor for unexpected writes or modifications to /etc/asterisk/ast_debug_tools.conf by the asterisk user or group, which could indicate pre-exploitation staging for privilege escalation.
  • Alert on execution of ast_coredumper as root (UID 0), especially when /etc/asterisk/ast_debug_tools.conf has been recently modified by a non-root user.
  • Audit file integrity of /etc/asterisk/ast_debug_tools.conf; unexpected bash constructs (functions, subshells, command substitutions) injected into this config file are a strong indicator of exploitation attempt.
  • ·The /etc/asterisk/ directory is writable by the asterisk user:group, which is the prerequisite for exploitation. Verify and restrict directory permissions as part of hardening.
  • ·Patched versions are 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Unpatched deployments running ast_coredumper as root remain exploitable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8NONE
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.