Strix
26.1K

CVE-2025-47779

MEDIUMCVSS 6.5/10EPSS 0.42%

Last modified

CVE-2025-47779 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. EPSS estimates a 0.42% chance of exploitation in the next 30 days.

Description

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS Probability
0.42%

33.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
SangomaAsterisk< 18.26.2
SangomaAsterisk>= 20.0.0, < 20.14.1
SangomaAsterisk>= 21.0.0, < 21.9.1
SangomaAsterisk>= 22.0.0, < 22.4.1
SangomaCertified Asterisk< 18.9
SangomaCertified Asterisk18.9
SangomaCertified Asterisk20.7Cert1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2025-47779?
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
How severe is CVE-2025-47779?
CVE-2025-47779 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.42% probability of exploitation in the next 30 days.
How do I fix CVE-2025-47779?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-47779?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST