CVE-2025-1131 - Vulnerability Details

A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Asterisk	Asterisk
Sangoma	Asterisk Certified Asterisk

Configuration 1 [-]

OR	cpe:2.3:a:sangoma:asterisk::::::::
	cpe:2.3:a:sangoma:asterisk::::::::
	cpe:2.3:a:sangoma:asterisk::::::::
	cpe:2.3:a:sangoma:asterisk::::::::

Configuration 2 [-]

OR	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert14::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert15::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2::::::
	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5::::::
	cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6::::::

No data.

References

Link	Providers
https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp

History

Wed, 08 Oct 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sangoma Sangoma asterisk Sangoma certified Asterisk
CPEs		cpe:2.3:a:sangoma:asterisk:::::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert14:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert15:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:::::: cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:::::: cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6::::::
Vendors & Products		Sangoma Sangoma asterisk Sangoma certified Asterisk
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 23 Sep 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Sep 2025 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Asterisk Asterisk asterisk
Vendors & Products		Asterisk Asterisk asterisk

Tue, 23 Sep 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
Title		Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation
Weaknesses		CWE-427
References		https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
Metrics		cvssV4_0 `{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/V:C/RE:H/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: Gridware

Published: 2025-09-23T04:31:02.784Z

Updated: 2025-09-24T03:55:14.630Z

Reserved: 2025-02-08T04:11:43.201Z

Link: CVE-2025-1131

Vulnrichment

Updated: 2025-09-23T19:11:08.602Z

NVD

Status : Analyzed

Published: 2025-09-23T05:15:35.603

Modified: 2025-10-08T20:35:00.300

Link: CVE-2025-1131

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object