CVE-2025-1131
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-23

Last updated on: 2025-11-03

Assigner: Gridware

Description
A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-23
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-09-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-1131
Affected Vendors & Products
Showing 30 associated CPEs
Vendor Product Version / Range
sangoma asterisk to 18.26.3 (exc)
sangoma asterisk From 20.0.0 (inc) to 20.15.1 (exc)
sangoma asterisk From 21.0.0 (inc) to 21.10.1 (exc)
sangoma asterisk From 22.0.0 (inc) to 22.5.1 (exc)
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 18.9
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a local privilege escalation issue in the safe_asterisk script used to start the Asterisk telephony software in non-systemd environments. The script runs as root and executes all shell scripts (*.sh) in the /etc/asterisk/startup.d directory without checking their ownership or permissions. If a non-root user has write access to /etc/asterisk, they can place malicious scripts in this directory. When Asterisk is restarted via safe_asterisk, these scripts run with root privileges, allowing the user to escalate their privileges to root. [1]

Impact Analysis

If exploited, this vulnerability allows a non-root user with write access to /etc/asterisk to execute arbitrary code with root privileges. This means an attacker can gain full control over the affected system, potentially leading to unauthorized access, data manipulation, or disruption of services. [1]

Detection Guidance

You can detect this vulnerability by checking if the /etc/asterisk/startup.d directory exists and contains any .sh scripts that could be executed by safe_asterisk. Also, verify if non-root users have write access to /etc/asterisk, which would allow them to place malicious scripts. For example, run the following commands: 1. Check if the startup.d directory exists and list scripts: ls -l /etc/asterisk/startup.d/*.sh 2. Check permissions on /etc/asterisk: ls -ld /etc/asterisk 3. Check which users have write access to /etc/asterisk: getfacl /etc/asterisk 4. To test if the vulnerability is present, create a test script (e.g., 01-test.sh) in /etc/asterisk/startup.d that performs a privileged action (like creating a root-owned file), then restart Asterisk using safe_asterisk and check if the action was executed with root privileges. [1]

Mitigation Strategies

Immediate mitigation steps include: 1. Restrict write permissions to the /etc/asterisk directory so that only trusted users (preferably root) can write to it, preventing unprivileged users from placing scripts in startup.d. 2. Remove or rename the /etc/asterisk/startup.d directory if it is not needed. 3. Upgrade Asterisk to a fixed version where this vulnerability is patched (e.g., 18.26.3, 20.15.1, 21.10.1, 22.5.1, 18.9-cert16, or 20.7-cert7). 4. Use the recommended systemd asterisk.service file to start Asterisk instead of safe_asterisk, as this method is not vulnerable. 5. Audit existing scripts in /etc/asterisk/startup.d for any unauthorized or suspicious files. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-1131. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart