Ubuntu LTS: Asterisk Severe Internal Security Flaw 2025-1132
debian lts
October 10, 2025
Two security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange
Summary
CVE-2025-1131
A local privilege escalation vulnerability exists in the safe_asterisk
script included with the Asterisk toolkit package. When Asterisk is started
via this script, it sources all .sh files located in
/etc/asterisk/startup.d/ as root, without validating ownership or
permissions. Non-root users with legitimate write access to /etc/asterisk
can exploit this behaviour by placing malicious scripts in the startup.d
directory, which will then execute with root privileges upon service
restart. Default Debian installations are not affected by this problem.
CVE-2025-54995
Prior to this version, RTP UDP ports and internal resources can leak due to
a lack of session termination. This could result in resource exhaustion.
For Debian 11 bullseye, these problems have been fixed in version
1:16.28.0~dfsg-0+deb11u8.
We recommend that you upgrade your asterisk packages.
For the detailed security status of asterisk please refer to
its security tracker page at:
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: asterisk
Version: 1:16.28.0~dfsg-0+deb11u8
CVE ID: CVE-2025-1131 CVE-2025-54995
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!