CVE-2025-47780: cli_permissions.conf: deny option does not work for disallowing shell commands
Description
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
Classification
CVE ID: CVE-2025-47780
CVSS Base Severity: MEDIUM
CVSS Base Score: 4.8
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Problem Types
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')Affected Products
Vendor: asterisk
Product: asterisk
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.1% (probability of being exploited)
EPSS Percentile: 29.37% (scored less or equal to compared to others)
EPSS Date: 2025-06-19 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-47780https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2