CVE-2025-47780 is a medium-severity vulnerability affecting multiple versions of Asterisk, an open-source private branch exchange (PBX) software widely used for telephony services. The vulnerability arises from improper neutralization of special elements in operating system commands (CWE-78), specifically in the handling of shell command execution via the Asterisk command line interface (CLI). Administrators often rely on the cli_permissions.conf configuration file to restrict or deny shell command execution by setting directives such as deny=!* to prevent unauthorized command execution. However, in affected versions prior to 18.26.2, 20.14.1, 21.9.1, and 22.4.1 (including certain certified-asterisk versions), this configuration does not function as intended, allowing users with CLI access and limited privileges to potentially execute arbitrary shell commands. This improper neutralization means that the CLI permission restrictions can be bypassed, leading to OS command injection. The vulnerability requires at least low-level privileges (PR:L) but does not require user interaction (UI:N) or authentication (AT:N), indicating that an attacker with some level of access to the CLI could exploit this flaw without further user involvement. The CVSS 4.0 base score is 4.8, reflecting a medium severity due to the limited attack vector (local access) and the requirement for some privileges. No known exploits are currently reported in the wild. The issue is fixed in versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and corresponding certified-asterisk releases. This vulnerability highlights the risk of relying solely on configuration-based access controls without proper enforcement in the software, potentially allowing privilege escalation or unauthorized command execution on telephony infrastructure.

For European organizations, especially those in telecommunications, call centers, and enterprises using Asterisk for VoIP and PBX services, this vulnerability poses a risk of unauthorized command execution on critical telephony infrastructure. Exploitation could lead to compromise of the underlying server, enabling attackers to intercept calls, disrupt telephony services, or pivot to other internal systems. Given the role of Asterisk in handling sensitive communications, confidentiality and integrity of voice data could be impacted. Availability could also be affected if attackers execute disruptive commands. The medium severity score reflects that exploitation requires some level of CLI access, which may be limited to internal users or attackers who have already gained partial access. However, in environments where CLI access is exposed or weakly controlled, the risk increases. European organizations with regulatory obligations around data protection (e.g., GDPR) must consider the potential for data leakage or service disruption. Additionally, telephony infrastructure is often critical for business continuity, making mitigation important to avoid operational impact.

1. Immediately upgrade affected Asterisk installations to the fixed versions: 18.26.2, 20.14.1, 21.9.1, or 22.4.1, or the corresponding certified-asterisk releases. 2. Restrict CLI access strictly to trusted administrators using network-level controls such as VPNs, IP whitelisting, and strong authentication mechanisms. 3. Implement multi-factor authentication for administrative access to the Asterisk CLI where possible. 4. Monitor CLI access logs for unusual or unauthorized command execution attempts. 5. Consider isolating Asterisk servers in segmented network zones with minimal exposure to untrusted networks. 6. Review and harden cli_permissions.conf configurations post-upgrade to ensure that command restrictions are properly enforced. 7. Conduct regular security audits and penetration testing focused on telephony infrastructure to detect potential misconfigurations or vulnerabilities. 8. Employ host-based intrusion detection systems (HIDS) to detect anomalous shell command executions on Asterisk servers. 9. Educate administrators about the risks of relying solely on configuration files for security enforcement and encourage defense-in-depth strategies.