CVE-2025-49832 in PBX
Summary
by MITRE • 08/01/2025
Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability identified as CVE-2025-49832 represents a critical security flaw within the Asterisk telephony platform that affects multiple version ranges including 18.26.2 and earlier, 20.00.0 through 20.15.0, 20.7-cert6, 21.00.0, and 22.00.0 through 22.5.0. This issue resides within the STIR/SHAKEN verification module located in asterisk/res/res_stir_shaken/verification.c, which is designed to validate caller identity through secure telephone identity credentials. The vulnerability stems from improper input validation and handling of Identity headers within the SIP profile verification process, creating a condition where remote attackers can manipulate the system's response to crafted malicious inputs.
The technical exploitation of this vulnerability occurs when an attacker can either directly set an arbitrary Identity header or when STIR/SHAKEN verification is enabled in the SIP profile associated with the targeted endpoint. This flaw allows for both remote denial of service conditions and potential remote code execution capabilities, making it particularly dangerous for telephony infrastructure that relies on these security protocols. The vulnerability manifests through improper memory handling and validation checks within the verification.c module, where untrusted input from SIP Identity headers is processed without adequate sanitization or bounds checking, creating opportunities for buffer overflows, memory corruption, or other exploitable conditions that can lead to system instability or unauthorized code execution.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire telephony networks and their associated security mechanisms. Organizations using Asterisk systems with STIR/SHAKEN enabled for caller ID validation face significant risk of unauthorized access to their telephony infrastructure, which could enable attackers to intercept calls, manipulate caller identity information, or disrupt critical communication services. This vulnerability directly impacts the integrity and availability of telephony services, particularly affecting service providers who rely on STIR/SHAKEN compliance for regulatory adherence and security assurance. The attack surface is broad as it affects both the SIP signaling and the verification components of the Asterisk platform, making it particularly challenging to secure without immediate patching.
Security mitigations for this vulnerability require immediate deployment of patched versions including 18.26.3, 20.7-cert6, 20.15.1, 21.10.1, and 22.5.1, which contain proper input validation and memory handling fixes for the verification.c module. Organizations should also implement network segmentation to limit access to SIP endpoints and consider disabling STIR/SHAKEN verification temporarily if immediate patching is not feasible. The vulnerability aligns with CWE-121, heap-based buffer overflow, and CWE-122, stack-based buffer overflow, while also mapping to ATT&CK technique T1190 for exploitation of vulnerabilities in remote services. Network monitoring should be enhanced to detect unusual patterns in SIP Identity header processing and potential buffer overflow indicators. System administrators should also review and restrict SIP profile configurations to minimize exposure while patches are deployed, as the vulnerability can be exploited remotely without authentication.