CVE-2025-47779

Exploit

EPSS 0.11%
Veröffentlicht 22.05.2025 16:54:26
Zuletzt bearbeitet 03.11.2025 20:19:05
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sangoma ≫ Asterisk Version < 18.26.2

Sangoma ≫ Asterisk Version >= 20.0.0 < 20.14.1

Sangoma ≫ Asterisk Version >= 21.0.0 < 21.9.1

Sangoma ≫ Asterisk Version >= 22.0.0 < 22.4.1

Sangoma ≫ Certified Asterisk Version < 18.9

Sangoma ≫ Certified Asterisk Version18.9 Update-

Sangoma ≫ Certified Asterisk Version18.9 Updatecert1

Sangoma ≫ Certified Asterisk Version18.9 Updatecert1-rc1

Sangoma ≫ Certified Asterisk Version18.9 Updatecert10

Sangoma ≫ Certified Asterisk Version18.9 Updatecert11

Sangoma ≫ Certified Asterisk Version18.9 Updatecert12

Sangoma ≫ Certified Asterisk Version18.9 Updatecert13

Sangoma ≫ Certified Asterisk Version18.9 Updatecert2

Sangoma ≫ Certified Asterisk Version18.9 Updatecert3

Sangoma ≫ Certified Asterisk Version18.9 Updatecert4

Sangoma ≫ Certified Asterisk Version18.9 Updatecert5

Sangoma ≫ Certified Asterisk Version18.9 Updatecert6

Sangoma ≫ Certified Asterisk Version18.9 Updatecert7

Sangoma ≫ Certified Asterisk Version18.9 Updatecert8

Sangoma ≫ Certified Asterisk Version18.9 Updatecert8-rc1

Sangoma ≫ Certified Asterisk Version18.9 Updatecert8-rc2

Sangoma ≫ Certified Asterisk Version18.9 Updatecert9

Sangoma ≫ Certified Asterisk Version20.7 Updatecert1

Sangoma ≫ Certified Asterisk Version20.7 Updatecert1-rc1

Sangoma ≫ Certified Asterisk Version20.7 Updatecert1-rc2

Sangoma ≫ Certified Asterisk Version20.7 Updatecert2

Sangoma ≫ Certified Asterisk Version20.7 Updatecert3

Sangoma ≫ Certified Asterisk Version20.7 Updatecert4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.307

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security-advisories@github.com	7.7	3.1	4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE-140 Improper Neutralization of Delimiters

The product does not neutralize or incorrectly neutralizes delimiters.

CWE-792 Incomplete Filtering of One or More Instances of Special Elements

The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.

https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw

Vendor Advisory

Exploit

https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample

Product

https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html

https://nvd.nist.gov/vuln/detail/CVE-2025-47779

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-47779

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-47779

EUVD