CVE-2025-49832
Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.
Asterisk es un kit de herramientas de telefonía y centralitas privadas de código abierto. En las versiones hasta la 18.26.2 (incluida), entre las 20.00.0 y 20.15.0, 20.7-cert6, 21.00.0 y 22.00.0 a 22.5.0, existe una condición de denegación de servicio (DoS) remota y un posible RCE en `asterisk/res/res_stir_shaken /verification.c` que puede explotarse cuando un atacante puede configurar un encabezado de identidad arbitrario, o si STIR/SHAKEN está habilitado, con la verificación configurada en el perfil SIP asociado al endpoint atacado. Esto se ha corregido en las versiones 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 y 22.5.1.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2025-06-11 CVE Reserved
- 2025-08-01 CVE Published
- 2025-08-04 CVE Updated
- 2025-08-07 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | < 18.26.3 Search vendor "Asterisk" for product "Asterisk" and version " < 18.26.3" | en |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | >= 20.00.0 < 20.15.1 Search vendor "Asterisk" for product "Asterisk" and version " >= 20.00.0 < 20.15.1" | en |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | >= 21.00.0 < 21.10.1 Search vendor "Asterisk" for product "Asterisk" and version " >= 21.00.0 < 21.10.1" | en |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | >= 22.00.0 < 22.5.1 Search vendor "Asterisk" for product "Asterisk" and version " >= 22.00.0 < 22.5.1" | en |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | 20.7 Search vendor "Asterisk" for product "Asterisk" and version "20.7" | en |
Affected
| ||||||