CVE-2025-1131

23.09.2025, 05:15

A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions.


Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Gridware	CNA	---				---
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 10%

Vendor	Product	Version
sangoma	asterisk	𝑥 < 18.26.3
sangoma	asterisk	20.0.0 ≤ 𝑥 < 20.15.1
sangoma	asterisk	21.0.0 ≤ 𝑥 < 21.10.1
sangoma	asterisk	22.0.0 ≤ 𝑥 < 22.5.1
sangoma	certified_asterisk	18.9:cert1
sangoma	certified_asterisk	18.9:cert1-rc1
sangoma	certified_asterisk	18.9:cert10
sangoma	certified_asterisk	18.9:cert11
sangoma	certified_asterisk	18.9:cert12
sangoma	certified_asterisk	18.9:cert13
sangoma	certified_asterisk	18.9:cert14
sangoma	certified_asterisk	18.9:cert15
sangoma	certified_asterisk	18.9:cert2
sangoma	certified_asterisk	18.9:cert3
sangoma	certified_asterisk	18.9:cert4
sangoma	certified_asterisk	18.9:cert5
sangoma	certified_asterisk	18.9:cert6
sangoma	certified_asterisk	18.9:cert7
sangoma	certified_asterisk	18.9:cert8
sangoma	certified_asterisk	18.9:cert8-rc1
sangoma	certified_asterisk	18.9:cert8-rc2
sangoma	certified_asterisk	18.9:cert9
sangoma	certified_asterisk	20.7:cert1
sangoma	certified_asterisk	20.7:cert1-rc1
sangoma	certified_asterisk	20.7:cert1-rc2
sangoma	certified_asterisk	20.7:cert2
sangoma	certified_asterisk	20.7:cert3
sangoma	certified_asterisk	20.7:cert4
sangoma	certified_asterisk	20.7:cert5
sangoma	certified_asterisk	20.7:cert6

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp

Common Weakness Enumeration

CWE-427 - Uncontrolled Search Path Element
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References

https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp

https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html