CVE-2025-47780: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-47780 affects Asterisk, an open-source private branch exchange (PBX) system. The vulnerability was discovered in versions prior to 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions prior to 18.9-cert14 and 20.7-cert5 of certified-asterisk. The issue involves a security bypass in the CLI permissions configuration that fails to properly restrict shell command execution. The vulnerability was disclosed on May 22, 2025 (GitHub Advisory).

The vulnerability stems from a flaw in the CLI permissions configuration system where attempts to disallow shell commands through the cli_permissions.conf file (using configurations like deny=!*) are ineffective. The root cause is in main/asterisk.c:remoteconsolehandler() and consolehandler(), where astsafesystem is executed immediately, bypassing the cli.c:clihaspermissions() check. The vulnerability has been assigned a CVSS v4.0 base score of 4.8 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

When exploited, this vulnerability allows users to execute shell commands via the Asterisk CLI even when explicitly denied through configuration. This bypass of security controls could lead to unauthorized command execution within the system's context, potentially compromising system security. The impact is particularly significant for administrators who rely on cli_permissions.conf to enforce command restrictions (GitHub Advisory).

The vulnerability has been fixed in Asterisk versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1, and in certified-asterisk versions 18.9-cert14 and 20.7-cert5. Users should upgrade to these patched versions to address the security issue (GitHub Advisory).