CVE-2025-47779: 
NixOS vulnerability analysis and mitigation

Asterisk, an open-source private branch exchange (PBX) software, was found to contain a vulnerability (CVE-2025-47779) affecting versions prior to 18.26.2, 20.14.1, 21.9.1, 22.4.1, and certified-asterisk versions prior to 18.9-cert14 and 20.7-cert5. The vulnerability was discovered and disclosed on May 22, 2025, involving improper alignment of SIP MESSAGE request authentication (GitHub Advisory).

The vulnerability stems from improper alignment of SIP requests of the type MESSAGE (RFC 3428) authentication. The issue allows authenticated attackers to manipulate the From header in SIP messages using malformed inputs, particularly involving semicolons or NULL characters in the name portion. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N, indicating network attack vector, low attack complexity, and high impact on integrity (GitHub Advisory).

The vulnerability enables authenticated attackers to spoof any user identity when sending messages, allowing them to make messages appear as if they originated from trusted entities, including administrators. This can facilitate spam, social engineering attacks, and phishing campaigns, even against organizations following security best practices (GitHub Advisory).

The vulnerability has been fixed in Asterisk versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1, and in certified-asterisk versions 18.9-cert14 and 20.7-cert5. Organizations are advised to upgrade to these patched versions to address the vulnerability (GitHub Advisory).