Bug 2368043 (CVE-2025-47780)

A flaw was found in Asterisk, the open-source private branch exchange (PBX), affecting versions prior to 18.26.2, 20.14.1, 21.9.1, and 22.4.1 (and certified-asterisk versions 18.9-cert14 and 20.7-cert5). The vulnerability stems from an improper implementation of cli_permissions.conf. Specifically, attempts to disallow shell command execution via the Asterisk command line interface (CLI) by configuring cli_permissions.conf (e.g., using deny=!*) do not function as intended. If an administrator relies on this configuration to prevent arbitrary shell command execution, an authenticated attacker with CLI access could bypass these intended restrictions and execute arbitrary commands on the underlying system with the privileges of the Asterisk process. This could lead to a full system compromise, data exfiltration, or denial of service. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk, and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, contain the fix for this issue.