CVE-2025-54995: Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resour...

Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.45%

35.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Sangoma	Asterisk	< 18.26.4	—
Sangoma	Certified Asterisk	< 18.9	—
Sangoma	Certified Asterisk	18.9	Cert1

References

Timeline

Published: Aug 28, 2025
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2025-54995?

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.

How severe is CVE-2025-54995?

CVE-2025-54995 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.45% probability of exploitation in the next 30 days.

How do I fix CVE-2025-54995?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.