CVE-2024-57520 is a security vulnerability identified in the Asterisk open-source telephony software, specifically version 22. The flaw arises from insecure permissions in the action_createconfig function, which is responsible for creating configuration files. The vulnerability enables a remote attacker to exploit directory traversal to create files outside the designated Asterisk product directory. This could theoretically lead to arbitrary code execution if an attacker can place malicious files in sensitive locations. However, the supplier disputes the severity, arguing that the impact is limited to creating empty files and that exploitation requires privileged user access capable of managing configurations, which significantly limits the attack surface. Despite this, the CVSS 3.1 base score is 9.8, reflecting a critical severity rating with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The discrepancy suggests that the CVSS scoring may not fully consider the privilege requirement stated by the supplier. No patches or known exploits are currently available, and the vulnerability is newly published as of February 2025. The CWE classification is CWE-732 (Insecure Permissions), indicating improper permission settings that could allow unauthorized actions. This vulnerability is significant for organizations relying on Asterisk for VoIP and telephony services, as exploitation could disrupt communications and compromise system integrity.

For European organizations, the impact of CVE-2024-57520 could be substantial, particularly for those using Asterisk v22 in their telephony infrastructure. Successful exploitation could lead to unauthorized file creation outside the intended directories, potentially enabling remote code execution and full system compromise. This threatens confidentiality by exposing sensitive telephony configurations, integrity by allowing unauthorized modifications, and availability by disrupting telephony services. Given the critical CVSS score, the vulnerability could facilitate widespread disruption of communication services, impacting business operations, customer interactions, and emergency response capabilities. However, the supplier's assertion that exploitation requires privileged access reduces the risk from external attackers but raises concerns about insider threats or compromised privileged accounts. European organizations with remote management capabilities for Asterisk configurations are particularly at risk. The absence of known exploits in the wild provides a window for proactive mitigation but also underscores the need for vigilance.

European organizations should immediately audit their Asterisk v22 deployments to verify if the action_createconfig function is accessible remotely and under what privilege conditions. Restrict access to configuration management interfaces strictly to trusted administrators and enforce strong authentication and authorization controls. Implement network segmentation to isolate telephony systems from general user networks and the internet. Monitor logs for unusual file creation activities outside the Asterisk directories. Apply principle of least privilege to all users with configuration management rights to minimize insider threat risks. Since no patches are currently available, consider temporary workarounds such as disabling remote configuration management if feasible. Engage with Asterisk vendors or community for updates and patches addressing this vulnerability. Conduct regular security assessments and penetration testing focused on telephony infrastructure. Finally, prepare incident response plans specific to telephony service disruptions and potential compromise scenarios.