CVE-2025-49832 Information

Description

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2 between 20.00.0 and 20.15.0 20.7-cert6 21.00.0 22.00.0 through 22.5.0 there is a remote DoS and possible RCE condition in asterisk/res/res_stir_shaken /verification.c that can be exploited when an attacker can set an arbitrary Identity header or STIR/SHAKEN is enabled with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3 20.7-cert6 20.15.1 21.10.1 and 22.5.1.

Reference

https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

Related CNNVD

CNNVD-202508-065 (Published: 2025-08-01)