CVE-2025-54995
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-11-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sangoma | asterisk | to 18.26.4 (exc) |
| sangoma | certified_asterisk | to 18.9 (exc) |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
| sangoma | certified_asterisk | 18.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1286 | The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54995 is a vulnerability in the Asterisk telephony software where RTP UDP ports and internal resources leak due to improper session termination. Specifically, when Asterisk handles SIP INVITE requests with malformed or fixed branch parameters in the Via header, it fails to properly receive BYE requests, causing calls to remain open and resources like RTP ports and module usage counters to leak. This leads to resource exhaustion, potentially causing denial-of-service (DoS) conditions. The issue affects all transport protocols (UDP, TCP, TLS) and was patched by updating the bundled pjproject library to version 2.15.1, which ensures RTP ports are correctly released after use. [5, 1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to resource exhaustion on systems running vulnerable versions of Asterisk. An attacker can remotely exploit it by sending specially crafted SIP INVITE requests that prevent proper call termination, causing RTP UDP ports and internal resources to leak. Over time, this can exhaust available RTP ports and increase module usage counters, resulting in denial-of-service (DoS) conditions where the telephony service becomes unavailable or unstable. [5, 1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for signs of resource exhaustion related to RTP UDP ports and PJSIP module usage counters on your Asterisk system. Specifically, look for unusually high or continuously increasing RTP port usage and module counters, which indicate leaked resources. Additionally, network traffic analysis can help detect SIP INVITE requests with malformed or fixed branch parameters in the Via header (e.g., branch=012345678) that prevent proper session termination. A proof-of-concept exploit uses the SIPp tool to send such INVITE requests. Therefore, commands to monitor system resource usage (e.g., netstat or ss to check UDP port usage), and Asterisk CLI commands to check PJSIP module counters can be useful. For example, within Asterisk CLI, commands like `pjsip show endpoints` or `pjsip show channels` may help identify stuck or leaked sessions. On the network side, using packet capture tools like tcpdump or Wireshark to filter SIP INVITE messages with suspicious branch parameters can assist detection. [5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Asterisk to a patched version where this vulnerability is fixed, specifically versions 18.26.4 or 18.9-cert17 or later. These versions include an updated bundled pjproject library (version 2.15.1) that properly releases RTP UDP ports and internal resources, preventing resource exhaustion. Until the upgrade can be applied, monitor and limit incoming SIP INVITE requests with malformed or fixed branch parameters to reduce exploitation risk. Applying network-level filtering or rate limiting on SIP traffic may help mitigate attacks. Also, review and adjust dialplan logic to ensure proper call termination where possible. Ultimately, upgrading to the fixed versions is the recommended and effective mitigation. [1, 2, 5]