{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-1131","assignerOrgId":"b7efe717-a805-47cf-8e9a-921fca0ce0ce","state":"PUBLISHED","assignerShortName":"Gridware","dateReserved":"2025-02-08T04:11:43.201Z","datePublished":"2025-09-23T04:31:02.784Z","dateUpdated":"2026-02-26T17:48:19.381Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["safe_asterisk /etc/asterisk/startup.d"],"platforms":["Linux","MacOS"],"product":"Asterisk","programFiles":["safe_asterisk"],"repo":"https://github.com/asterisk/asterisk","vendor":"Asterisk","versions":[{"status":"affected","version":"Asterisk <=18.26.2","versionType":"custom"},{"status":"affected","version":"Asterisk <= 20.15.0","versionType":"custom"},{"status":"affected","version":"Asterisk <= 21.10.0","versionType":"custom"},{"status":"affected","version":"Asterisk <= 22.5.0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Abdul Mhanni"}],"datePublic":"2025-08-01T05:23:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>A local privilege escalation vulnerability exists in the <code>safe_asterisk</code> script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all <code>.sh</code> files located in <code>/etc/asterisk/startup.d/</code> <strong>as root</strong>, without validating ownership or permissions.</p>\n<p>Non-root users with legitimate write access to <code>/etc/asterisk</code> can exploit this behaviour by placing malicious scripts in the <code>startup.d</code> directory, which will then execute with root privileges upon service restart.</p>"}],"value":"A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions.\n\n\nNon-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart."}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"LOCAL","baseScore":7,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","userInteraction":"PASSIVE","valueDensity":"CONCENTRATED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/V:C/RE:H/U:Amber","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"HIGH"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-427","description":"CWE-427 Uncontrolled Search Path Element","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b7efe717-a805-47cf-8e9a-921fca0ce0ce","shortName":"Gridware","dateUpdated":"2025-09-23T04:31:02.784Z"},"references":[{"url":"https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp"}],"source":{"discovery":"EXTERNAL"},"title":"Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-1131","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-09-24T03:55:15.207908Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:48:19.381Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:31:42.189Z"}}]}}