CVE-2025-49832

CVE-2025-49832

Name

CVE-2025-49832

Description

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

Type

URI

CONFIRM

https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

Match rules

Source package	Min version	Max version
asterisk	>= 0	< 18.26.3
asterisk	>= 20.00.0	< 20.15.1
asterisk	>= 21.00.0	< 21.10.1
asterisk	>= 22.00.0	< 22.5.1
asterisk	>= 20.7-cert6	< 20.7-cert7

CPE URI

Source package

Min version

Max version

asterisk

>= 0

< 18.26.3

asterisk

>= 20.00.0

< 20.15.1

asterisk

>= 21.00.0

< 21.10.1

asterisk

>= 22.00.0

< 22.5.1

asterisk

>= 20.7-cert6

< 20.7-cert7

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
asterisk	edge-main	20.11.1-r6	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r5	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r4	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r3	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.0-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.11.0-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.9.3-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.9.2-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.8.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	20.5.1-r0	None	possibly vulnerable
asterisk	edge-main	18.15.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.15.0-r3	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.15.0-r2	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.15.0-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.13.0-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.13.0-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.11.2-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r5	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r4	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r3	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r2	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.1-r0	None	possibly vulnerable
asterisk	edge-main	18.1.1-r0	None	possibly vulnerable
asterisk	edge-main	18.0.1-r0	None	possibly vulnerable
asterisk	edge-main	16.6.2-r0	None	possibly vulnerable
asterisk	edge-main	16.5.1-r0	None	possibly vulnerable
asterisk	edge-main	16.4.1-r0	None	possibly vulnerable
asterisk	edge-main	16.3.0-r0	None	possibly vulnerable
asterisk	edge-main	15.7.1-r0	None	possibly vulnerable
asterisk	3.22-main	20.11.1-r6	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.22-main	20.11.1-r5	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.22-main	20.11.1-r0	None	possibly vulnerable
asterisk	3.22-main	20.9.3-r0	None	possibly vulnerable
asterisk	3.22-main	20.9.2-r0	None	possibly vulnerable
asterisk	3.22-main	20.8.1-r0	None	possibly vulnerable
asterisk	3.22-main	20.5.1-r0	None	possibly vulnerable
asterisk	3.22-main	18.15.1-r0	None	possibly vulnerable
asterisk	3.22-main	18.11.2-r0	None	possibly vulnerable
asterisk	3.22-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.22-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.22-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.22-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.22-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.22-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.22-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.22-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.22-main	15.7.1-r0	None	possibly vulnerable
asterisk	3.21-main	20.11.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.21-main	20.11.0-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.21-main	20.9.3-r0	None	possibly vulnerable
asterisk	3.21-main	20.9.2-r0	None	possibly vulnerable
asterisk	3.21-main	20.8.1-r0	None	possibly vulnerable
asterisk	3.21-main	20.5.1-r0	None	possibly vulnerable
asterisk	3.21-main	18.15.1-r0	None	possibly vulnerable
asterisk	3.21-main	18.11.2-r0	None	possibly vulnerable
asterisk	3.21-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.21-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.21-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.21-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.21-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.21-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.21-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.21-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.21-main	15.7.1-r0	None	possibly vulnerable
asterisk	3.20-main	20.9.3-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.20-main	20.9.3-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.20-main	20.9.2-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.20-main	20.8.1-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.20-main	20.5.1-r0	None	possibly vulnerable
asterisk	3.20-main	18.15.1-r0	None	possibly vulnerable
asterisk	3.20-main	18.11.2-r0	None	possibly vulnerable
asterisk	3.20-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.20-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.20-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.20-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.20-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.20-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.20-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.20-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.20-main	15.7.1-r0	None	possibly vulnerable
asterisk	3.19-main	20.9.3-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.19-main	20.9.3-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	3.19-main	20.5.1-r0	None	possibly vulnerable
asterisk	3.19-main	18.15.1-r0	None	possibly vulnerable
asterisk	3.19-main	18.11.2-r0	None	possibly vulnerable
asterisk	3.19-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.19-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.19-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.19-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.19-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.19-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.19-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.19-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.19-main	15.7.1-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages