CVE-2025-1131
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-1131
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1131.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-1131
- Aliases
-
- GHSA-v9q8-9j8m-5xwp
- Downstream
- Published
- 2025-09-23T05:15:35.603Z
- Modified
- 2025-11-16T12:26:48.786389Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions.
Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
- References
Affected packages
Git / github.com/asterisk/asterisk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/asterisk/asterisk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
18.*
18.17.0
18.17.0-rc1
18.17.1
18.18.0
18.18.0-rc1
18.18.1
18.19.0
18.19.0-rc1
18.19.0-rc2
18.20.0
18.20.0-rc1
18.20.1
18.20.2
18.21.0
18.21.0-rc1
18.21.0-rc2
18.22.0
18.22.0-rc1
18.22.0-rc2
18.23.0
18.23.0-rc1
18.23.1
18.24.0
18.24.0-rc1
18.24.1
18.24.2
18.24.3
18.25.0
18.25.0-rc1
18.25.0-rc2
18.26.0
18.26.0-rc1
18.26.1
18.26.2