CVE-2025-47780

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-47780
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2 Exploit Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:-:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
History

03 Nov 2025, 20:19

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html -
Information

Published : 2025-05-22 17:15

Updated : 2025-11-03 20:19

NVD link : CVE-2025-47780

Mitre link : CVE-2025-47780

CVE.ORG link : CVE-2025-47780

JSON object : View

Products Affected

sangoma

  • asterisk
  • certified_asterisk
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')