CVE-2025-1131

CVE-2025-1131

Name

CVE-2025-1131

Description

A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
b7efe717-a805-47cf-8e9a-921fca0ce0ce	https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html

Type

URI

b7efe717-a805-47cf-8e9a-921fca0ce0ce

https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html

Match rules

Source package	Min version	Max version
asterisk	== Asterisk <=18.26.2	== Asterisk <=18.26.2
asterisk	== Asterisk <= 20.15.0	== Asterisk <= 20.15.0
asterisk	== Asterisk <= 21.10.0	== Asterisk <= 21.10.0
asterisk	== Asterisk <= 22.5.0	== Asterisk <= 22.5.0

CPE URI

Source package

Min version

Max version

asterisk

== Asterisk <=18.26.2

asterisk

== Asterisk <= 20.15.0

asterisk

== Asterisk <= 21.10.0

asterisk

== Asterisk <= 22.5.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
asterisk	edge-main	20.11.1-r6	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r5	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r4	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r3	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.0-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.0-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.22-main	20.11.1-r6	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.22-main	20.11.1-r5	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.21-main	20.11.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.21-main	20.11.0-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.20-main	20.9.3-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.20-main	20.9.3-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.19-main	20.9.3-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.19-main	20.9.3-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages