CVE-2025-1131 HIGH

CVE-2025-1131: Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation

Vendor Asterisk
Product Asterisk
Weakness CWE-427
Published September 23, 2025
Last update February 26, 2026

CVSS base score

7.0/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/V:C/RE:H/U:Amber

What the vulnerability does

01Description

A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
February 26, 2026 Record updated