CVE-2025-49832
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-01

Last updated on: 2025-08-25

Assigner: GitHub, Inc.

Description
Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-01
Last Modified
2025-08-25
Generated
2026-05-27
AI Q&A
2025-08-01
EPSS Evaluated
2026-05-25
NVD
CVE-2025-49832
EUVD
EUVD-2025-23381
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
sangoma asterisk to 18.26.3 (exc)
sangoma asterisk From 20.0.0 (inc) to 20.15.1 (exc)
sangoma asterisk From 21.0.0 (inc) to 21.10.1 (exc)
sangoma asterisk From 22.0.0 (inc) to 22.5.1 (exc)
sangoma certified_asterisk to 18.9 (inc)
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Asterisk's STIR/SHAKEN verification component where an attacker who can set an arbitrary Identity header or when STIR/SHAKEN is enabled with verification set in the SIP profile can exploit a remote denial of service (DoS) and possibly remote code execution (RCE). It affects certain versions of Asterisk up to 18.26.2 and specific other versions, and is fixed in later versions.


How can this vulnerability impact me? :

The vulnerability can lead to a remote denial of service (DoS), disrupting telephony services, and potentially allow remote code execution (RCE), which could enable an attacker to execute arbitrary code on the affected system.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Asterisk to a fixed version where this vulnerability is resolved. Specifically, update to version 18.26.3, 20.7-cert6, 20.15.1, 21.10.1, or 22.5.1 or later. Additionally, review and disable STIR/SHAKEN verification in the SIP profile if it is not required, to reduce exposure until the update can be applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart