CVE-2025-47780

NameCVE-2025-47780
DescriptionAsterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1106530

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
asterisk (PTS)bullseye1:16.28.0~dfsg-0+deb11u4vulnerable
bullseye (security)1:16.28.0~dfsg-0+deb11u6vulnerable
sid1:22.4.1~dfsg+~cs6.15.60671435-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
asterisksource(unstable)1:22.4.1~dfsg+~cs6.15.60671435-11106530

Notes

https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
https://github.com/asterisk/asterisk/commit/ef1ad68131ff35445660bd0d36a04cf6f9ba6456 (18.26.2)
https://github.com/asterisk/asterisk/commit/9bcdef268432e7591142b1b8de38b2e7871566a5 (22.4.1)

Search for package or bug name: Reporting problems