Vulnerability in Asterisk Affects Command Line Permission Settings
CVE-2025-47780

4.8MEDIUM

Key Information:

Vendor: Asterisk
Status: Asterisk
Vendor: CVE Published:; 22 May 2025

What is CVE-2025-47780?

A vulnerability has been identified in the Asterisk PBX that improperly handles command line permissions. Administrators relying on the cli_permissions.conf configuration to restrict shell commands may find that their settings do not function as intended. This oversight could allow unauthorized command execution, posing significant security risks. Users are advised to update to Asterisk versions 18.26.2, 20.14.1, 21.9.1, 22.4.1, as well as certified-asterisk versions 18.9-cert14 and 20.7-cert5 to mitigate this issue.

Affected Version(s)

asterisk < 18.9-cert14 < 18.9-cert14

asterisk >= 18.10, < 18.26.2 < 18.10, 18.26.2

asterisk >= 20.0, < 20.7-cert5 < 20.0, 20.7-cert5

References

https://github.com/asterisk/asterisk/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2025
Vulnerability Reserved
May 9, 2025