Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2qjc-yspn-xydj
Vulnerability ID VCID-2qjc-yspn-xydj
Aliases CVE-2025-47780
Summary Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Status Published
Exploitability 0.5
Weighted Severity 4.3
Risk 2.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
System Score Found at
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss 0.00577 https://api.first.org/data/v1/epss?cve=CVE-2025-47780
cvssv4 4.8 https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
ssvc Track https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-47780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47780
1106530 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106530
GHSA-c7p6-7mvq-8jq2 https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
No exploits are available.
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T17:24:44Z/ Found at https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
Exploit Prediction Scoring System (EPSS)
Percentile 0.6877
EPSS Score 0.00577
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T16:38:59.534261+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.0.0