VYPR
Unrated severityNVD Advisory· Published May 22, 2025· Updated Nov 3, 2025

cli_permissions.conf: deny option does not work for disallowing shell commands

CVE-2025-47780

Description

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring cli_permissions.conf (e.g. with the config line deny=!*) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the cli_permissions.conf file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Asterisk/Asteriskllm-fuzzy2 versions
    <18.26.2, <20.14.1, <21.9.1, <22.4.1+ 1 more
    • (no CPE)range: <18.26.2, <20.14.1, <21.9.1, <22.4.1
    • (no CPE)range: < 18.9-cert14
  • Range: <18.9-cert14, <20.7-cert5

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.