CVE-2025-54995

Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

How to fix CVE-2025-54995

To remediate CVE-2025-54995, upgrade the affected package to a fixed version below.

Debian/asterisk—upgrade to 1:16.28.0~dfsg-0+deb11u8 or later

Is CVE-2025-54995 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1:16.28.0~dfsg-0+deb11u8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-54995