CVE-2025-47780
Description
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
How to fix CVE-2025-47780
To remediate CVE-2025-47780, upgrade the affected package to a fixed version below.
- —upgrade to 1:16.28.0~dfsg-0+deb11u7 or later
Is CVE-2025-47780 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1:16.28.0~dfsg-0+deb11u7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |