CVE-2025-49832

EPSS 0.18%
Veröffentlicht 01.08.2025 17:57:29
Zuletzt bearbeitet 04.08.2025 15:06:15
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerasterisk

≫

Produkt asterisk

Version < 18.26.3

Status affected

Version >= 20.00.0, < 20.15.1

Status affected

Version >= 21.00.0, < 21.10.1

Status affected

Version >= 22.00.0, < 22.5.1

Status affected

Version >= 20.7-cert6, < 20.7-cert7

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.401

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

https://nvd.nist.gov/vuln/detail/CVE-2025-49832

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49832

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49832

EUVD