Vulnerability DatabaseCVE-2025-47779
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-47779
May 22, 2025
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Affected Packages
https://github.com/asterisk/asterisk.git (GITHUB):
Affected version(s) >=0.1.0 <18.26.2
Fix Suggestion:
Update to version 18.26.2
https://github.com/asterisk/asterisk.git (GITHUB):
Affected version(s) >=22.0.0 <22.4.1
Fix Suggestion:
Update to version 22.4.1
https://github.com/asterisk/asterisk.git (GITHUB):
Affected version(s) >=certified-20.7-cert1 <certified-20.7-cert5
Fix Suggestion:
Update to version certified-20.7-cert5
https://github.com/asterisk/asterisk.git (GITHUB):
Affected version(s)
Fix Suggestion:
Update to version certified-18.9-cert14
https://github.com/asterisk/asterisk.git (GITHUB):
Affected version(s) >=21.0.0 <21.9.1
Fix Suggestion:
Update to version 21.9.1
https://github.com/asterisk/asterisk.git (GITHUB):
Affected version(s) >=19.0.0 <20.14.1
Fix Suggestion:
Update to version 20.14.1
Related Resources (2)
https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw
https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Delimiters
CWE-140
Incomplete Filtering of One or More Instances of Special Elements
CWE-792
EPSS
Base Score:
0.10