CVE-2025-49832

MEDIUM

Asterisk <= 18.26.2, 20.0.0-20.15.0, 20.7-cert6, 21.0.0, 22.0.0-22.5.0 - Remote DoS and RCE in STIR/SHAKEN

Title source: llm

Description

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

Scores

CVSS v3 6.5

EPSS 0.0043

EPSS Percentile 34.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (3)

sangoma/asterisk < 18.26.3

sangoma/certified_asterisk 20.7 cert1 (8 CPE variants)

sangoma/certified_asterisk < 18.9

Published Aug 01, 2025

Tracked Since Feb 18, 2026