Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-47780
Good to know:
Date: May 22, 2025
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring "cli_permissions.conf" (e.g. with the config line "deny=!*") does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the "cli_permissions.conf" file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Severity Score
Severity Score
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78Top Fix
Upgrade Version
Upgrade to version https://github.com/asterisk/asterisk.git - certified-20.7-cert5;https://github.com/asterisk/asterisk.git - certified-18.9-cert14;https://github.com/asterisk/asterisk.git - 22.4.1;https://github.com/asterisk/asterisk.git - 21.9.1;https://github.com/asterisk/asterisk.git - 20.14.1;https://github.com/asterisk/asterisk.git - 18.26.2
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | LOCAL |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | LOW |