CVE-2025-47780 Information
Description
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2 20.14.1 21.9.1 and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring cli_permissions.conf (e.g. with the config line deny=!) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the cli_permissions.conf file to work and expects it to deny all attempts to execute shell commands then this could lead to a security vulnerability. Versions 18.26.2 20.14.1 21.9.1 and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Reference
https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
Share on: