CVE-2025-49832

moderate-risk
Published 2025-08-01

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

Do I need to act?

-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (10)

Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk

Affected Vendors

Sangoma

References (1)

Exploit https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr
41
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 1/34 · Minimal
Exposure 16/34 · Moderate