CVE-2025-69205
Unknown Unknown - Not Provided
Command Injection in Micro Registration Utility Enables Call Redirection

Publication date: 2025-12-29

Last updated on: 2025-12-29

Assigner: GitHub, Inc.

Description
Micro Registration Utility (Β΅URU) is a telephone self registration utility based on asterisk. In versions up to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, an attacker can crafts a special federation name and characters treated special by asterisk can be injected into the `Dial( )` application due to improper input validation. This allows an attacker to redirect calls on both of the federating instances. If the attack succeeds, the impact is very high. However, the requires that an admin accept the federation requests. As of time of publication, a known patched version of Β΅URU is not available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-29
Last Modified
2025-12-29
Generated
2026-06-16
AI Q&A
2025-12-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69205
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
asterisk asterisk *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Micro Registration Utility (Β΅URU) allows an attacker to craft a special federation name containing characters that are treated specially by the underlying asterisk system. Due to improper input validation, these characters can be injected into the Dial() application, enabling the attacker to redirect calls between federating instances. However, the attack requires an administrator to accept the federation requests for it to succeed.

Impact Analysis

If exploited, this vulnerability can lead to unauthorized call redirection between federating instances, potentially allowing attackers to intercept, manipulate, or disrupt telephone communications. The impact is considered very high, but exploitation requires administrative approval of federation requests.

Mitigation Strategies

Immediate steps include ensuring that federation requests are not accepted without proper verification, as the vulnerability requires an admin to accept federation requests to succeed. Since no patched version is available at the time of publication, administrators should avoid accepting federation requests from untrusted sources and monitor for suspicious federation activity.

Compliance Impact

The vulnerability allows an attacker to redirect calls and potentially impersonate intended recipients, compromising the confidentiality, integrity, and availability of calls. Such a compromise can lead to unauthorized access to sensitive communication data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by exposing sensitive call data and undermining secure communication controls. [2]

Detection Guidance

This vulnerability can be detected by inspecting federation names used in your system for special characters such as '&' or dialplan functions like '${PJSIP_DIAL_CONTACTS(...) }' that are not properly escaped or filtered. You can check the dialplan entries created for federated IAX peers, especially those generated by the function 'create_iax_peer' in 'app/models/crud/asterisk.py'. A practical approach is to search for federation names containing special characters or dialplan injection patterns. For example, you can use grep or similar commands on your dialplan files or configuration directories to find suspicious federation names or dialplan entries. Example commands might include: 1) `grep -rE '&|\$\{.*\}' /path/to/asterisk/config` to find federation names or dialplan entries containing '&' or dialplan functions. 2) Review logs or dialplan files for entries similar to `IAX2/tm/1234&${PJSIP_DIAL_CONTACTS(4444)}` which indicate injection attempts. Since the vulnerability requires an admin to accept federation requests, auditing accepted federation names for suspicious characters is critical. Note that no known patched version is available yet, so detection relies on manual inspection and monitoring for unusual dialplan entries or call redirections. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart