VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-sfm5-5rng-17g9

Essentials
Severities (28)
References (5)
Severity details (2)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-sfm5-5rng-17g9
Aliases	CVE-2025-47780
Summary	Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	4.3
Risk	2.1
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

System	Score	Found at
epss	0.00062	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00062	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2025-47780
cvssv4	4.8	https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
ssvc	Track	https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-47780
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47780
1106530		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106530
CVE-2025-47780		https://nvd.nist.gov/vuln/detail/CVE-2025-47780
GHSA-c7p6-7mvq-8jq2		https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2

No exploits are available.

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N Found at https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-22T17:24:44Z/ Found at https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2

Exploit Prediction Scoring System (EPSS)

Percentile	0.19813
EPSS Score	0.00062
Published At	Sept. 19, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T09:28:01.451984+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/47xxx/CVE-2025-47780.json	37.0.0