CVE-2025-47779

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
GitHub_MCNA
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
sangomaasterisk
𝑥
< 18.26.2
sangomaasterisk
20.0.0 ≤
𝑥
< 20.14.1
sangomaasterisk
21.0.0 ≤
𝑥
< 21.9.1
sangomaasterisk
22.0.0 ≤
𝑥
< 22.4.1
sangomacertified_asterisk
𝑥
< 18.9
sangomacertified_asterisk
18.9
sangomacertified_asterisk
18.9:cert1
sangomacertified_asterisk
18.9:cert1-rc1
sangomacertified_asterisk
18.9:cert10
sangomacertified_asterisk
18.9:cert11
sangomacertified_asterisk
18.9:cert12
sangomacertified_asterisk
18.9:cert13
sangomacertified_asterisk
18.9:cert2
sangomacertified_asterisk
18.9:cert3
sangomacertified_asterisk
18.9:cert4
sangomacertified_asterisk
18.9:cert5
sangomacertified_asterisk
18.9:cert6
sangomacertified_asterisk
18.9:cert7
sangomacertified_asterisk
18.9:cert8
sangomacertified_asterisk
18.9:cert8-rc1
sangomacertified_asterisk
18.9:cert8-rc2
sangomacertified_asterisk
18.9:cert9
sangomacertified_asterisk
20.7:cert1
sangomacertified_asterisk
20.7:cert1-rc1
sangomacertified_asterisk
20.7:cert1-rc2
sangomacertified_asterisk
20.7:cert2
sangomacertified_asterisk
20.7:cert3
sangomacertified_asterisk
20.7:cert4
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
asterisk
plucky
needs-triage
oracular
ignored
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample
https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw