CVE-2025-1131

NameCVE-2025-1131
DescriptionA local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4326-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)bullseye1:16.28.0~dfsg-0+deb11u4vulnerable
bullseye (security)1:16.28.0~dfsg-0+deb11u8fixed
sid1:22.6.0~dfsg+~cs6.15.60671435-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksourcebullseye1:16.28.0~dfsg-0+deb11u8DLA-4326-1
asterisksource(unstable)1:22.5.1~dfsg+~cs6.15.60671435-1

Notes

https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
https://github.com/asterisk/asterisk/commit/f97361952023625e8dd49ca03454777fad19fedb (23.0.0-pre1)
https://github.com/asterisk/asterisk/commit/7ba06dc6ee5efd4edfe79690ad8d61a33b92ce3d (22.5.1)
Search for package or bug name: Reporting problems