CVE-2026-23741 in PBX
Summary
by MITRE • 02/06/2026
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability described in CVE-2026-23741 represents a critical privilege escalation flaw within the Asterisk telephony platform that leverages a dangerous combination of root execution and insecure configuration file handling. This issue affects versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2 of the Asterisk software, creating a persistent security risk that can be exploited by attackers with minimal privileges. The vulnerability stems from the ast_coredumper script which operates with root privileges while simultaneously sourcing configuration files from locations writable by the asterisk user, establishing a clear path for privilege escalation attacks.
The technical flaw manifests through the insecure execution pattern where the root-running ast_coredumper script sources /etc/asterisk/ast_debug_tools.conf using bash semantics. This configuration file location is writable by the asterisk user group, creating an attack surface where malicious actors can inject arbitrary bash code into the configuration file. When the root script executes, it processes the malicious configuration content as shell commands, effectively executing arbitrary code with root privileges. This represents a classic insecure file handling vulnerability that violates fundamental security principles of least privilege and proper access controls.
The operational impact of this vulnerability is severe and directly aligns with attack patterns documented in the MITRE ATT&CK framework under privilege escalation techniques. An attacker with write access to the asterisk user group can manipulate the configuration file to execute malicious payloads, potentially leading to complete system compromise. The vulnerability's exploitation requires only minimal privileges and leverages the existing legitimate execution path of the asterisk service, making detection particularly challenging. This type of vulnerability commonly falls under CWE-22 (Path Traversal) and CWE-78 (Improper Neutralization of Special Elements used in a Command) categories, demonstrating how seemingly minor configuration issues can create catastrophic security implications.
The remediation strategy involves upgrading to patched versions of Asterisk software where the configuration file handling has been corrected to prevent the root script from sourcing potentially malicious content. Organizations should also implement proper file permissions and access controls to ensure that configuration files are not writable by non-privileged users. Security monitoring should focus on detecting unauthorized modifications to critical configuration files and unusual execution patterns of root scripts. The fix addresses the root cause by ensuring that the ast_coredumper script operates with appropriate privilege separation and does not source configuration files from locations accessible to untrusted users, thereby preventing the privilege escalation vector that existed in vulnerable versions.