Login Sign Up

CVE-2025-1131

7.8 HIGH

📋 TL;DR

A local privilege escalation vulnerability in Asterisk's safe_asterisk script allows non-root users with write access to /etc/asterisk to execute arbitrary code as root. This occurs because the script sources all .sh files from /etc/asterisk/startup.d/ without validating permissions. Systems using SysV init or FreePBX with Asterisk are affected.

💻 Affected Systems

Products:
  • Asterisk
  • FreePBX
Versions: All versions using vulnerable safe_asterisk script (specific versions not specified in advisory)
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using safe_asterisk script for service startup (common in SysV init or FreePBX environments). Systemd-based installations may not be affected.

📦 What is this software?

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Asterisk by Sangoma

View all CVEs affecting Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

Certified Asterisk by Sangoma

View all CVEs affecting Certified Asterisk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the Asterisk server, allowing attacker to install persistent backdoors, access sensitive data, pivot to other systems, or disrupt telephony services.

🟠

Likely Case

Local user with legitimate Asterisk configuration access gains root privileges, potentially compromising the entire server and associated telephony infrastructure.

🟢

If Mitigated

Limited impact if proper file permissions and user access controls prevent unauthorized writes to /etc/asterisk directory.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing user access to the system.
🏢 Internal Only: HIGH - Any internal user with write access to /etc/asterisk can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires existing local user access with write permissions to /etc/asterisk directory. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Asterisk security advisory for specific patched versions

Vendor Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp

Restart Required: Yes

Instructions:

1. Update Asterisk to patched version from official repository. 2. Replace safe_asterisk script with fixed version. 3. Restart Asterisk service. 4. Verify startup.d directory permissions are secure.

🔧 Temporary Workarounds

Secure startup.d directory permissions

linux

Remove write permissions for non-root users on /etc/asterisk/startup.d directory

chmod 755 /etc/asterisk/startup.d
chown root:root /etc/asterisk/startup.d

Remove or audit startup scripts

linux

Review and remove unnecessary .sh files from startup.d directory

ls -la /etc/asterisk/startup.d/
rm /etc/asterisk/startup.d/*.sh

🧯 If You Can't Patch

  • Implement strict file permissions on /etc/asterisk and subdirectories
  • Monitor for unauthorized file creation in /etc/asterisk/startup.d/

🔍 How to Verify

Check if Vulnerable:

Check if safe_asterisk script exists and sources files from /etc/asterisk/startup.d/ without permission validation: grep -r 'startup.d' /usr/sbin/safe_asterisk

Check Version:

asterisk -rx 'core show version'

Verify Fix Applied:

Verify patched version doesn't source files without validation and check directory permissions: ls -ld /etc/asterisk/startup.d/

📡 Detection & Monitoring

Log Indicators:

  • Unexpected files created in /etc/asterisk/startup.d/
  • Asterisk service restarts by non-root users
  • Suspicious processes running as root after Asterisk restart

Network Indicators:

  • Unusual outbound connections from Asterisk server
  • Changes in telephony service behavior

SIEM Query:

file_create path=/etc/asterisk/startup.d/*.sh OR process_start parent_process=asterisk user=root

📊 Metadata

CVE ID: CVE-2025-1131
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-427
EPSS Score: 0.06% exploit probability (17.5th percentile)
Published: September 23, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1131, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)