RTP Resource Leak in Asterisk Open Source Telephony Toolkit
CVE-2025-54995

6.5MEDIUM

Key Information:

Vendor

Asterisk

Status
Asterisk
Vendor
CVE Published:
28 August 2025

What is CVE-2025-54995?

Asterisk, the open-source private branch exchange and telephony toolkit, is affected by a vulnerability that allows RTP UDP ports and internal resources to leak. This issue arises from inadequate session termination, leading to potential resource exhaustion. Users are advised to upgrade to versions 18.26.4 or 18.9-cert17, where the issue has been patched. Failure to address this vulnerability may leave systems open to performance degradation and operational disruption.

Affected Version(s)

asterisk < 18.26.4 < 18.26.4

asterisk < 18.9-cert17 < 18.9-cert17

References

https://github.com/asterisk/asterisk/security/advisories/...
x_refsource_CONFIRM
https://github.com/asterisk/asterisk/pull/1405
x_refsource_MISC
https://github.com/asterisk/asterisk/pull/1406
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-54995 : RTP Resource Leak in Asterisk Open Source Telephony Toolkit