CVE-2025-69205
Command Injection in Micro Registration Utility Enables Call Redirection
Publication date: 2025-12-29
Last updated on: 2025-12-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| asterisk | asterisk | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Micro Registration Utility (Β΅URU) allows an attacker to craft a special federation name containing characters that are treated specially by the underlying asterisk system. Due to improper input validation, these characters can be injected into the Dial() application, enabling the attacker to redirect calls between federating instances. However, the attack requires an administrator to accept the federation requests for it to succeed.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to unauthorized call redirection between federating instances, potentially allowing attackers to intercept, manipulate, or disrupt telephone communications. The impact is considered very high, but exploitation requires administrative approval of federation requests.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps include ensuring that federation requests are not accepted without proper verification, as the vulnerability requires an admin to accept federation requests to succeed. Since no patched version is available at the time of publication, administrators should avoid accepting federation requests from untrusted sources and monitor for suspicious federation activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to redirect calls and potentially impersonate intended recipients, compromising the confidentiality, integrity, and availability of calls. Such a compromise can lead to unauthorized access to sensitive communication data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by exposing sensitive call data and undermining secure communication controls. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting federation names used in your system for special characters such as '&' or dialplan functions like '${PJSIP_DIAL_CONTACTS(...) }' that are not properly escaped or filtered. You can check the dialplan entries created for federated IAX peers, especially those generated by the function 'create_iax_peer' in 'app/models/crud/asterisk.py'. A practical approach is to search for federation names containing special characters or dialplan injection patterns. For example, you can use grep or similar commands on your dialplan files or configuration directories to find suspicious federation names or dialplan entries. Example commands might include: 1) `grep -rE '&|\$\{.*\}' /path/to/asterisk/config` to find federation names or dialplan entries containing '&' or dialplan functions. 2) Review logs or dialplan files for entries similar to `IAX2/tm/1234&${PJSIP_DIAL_CONTACTS(4444)}` which indicate injection attempts. Since the vulnerability requires an admin to accept federation requests, auditing accepted federation names for suspicious characters is critical. Note that no known patched version is available yet, so detection relies on manual inspection and monitoring for unusual dialplan entries or call redirections. [2]