CVE-2025-1131
HIGHDescription
A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
Is your site exposed to CVE-2025-1131?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| sangoma | asterisk |
| sangoma | asterisk |
| sangoma | asterisk |
| sangoma | asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
| sangoma | certified_asterisk |
References
Frequently Asked Questions
What is CVE-2025-1131? +
How severe is CVE-2025-1131? +
What products are affected by CVE-2025-1131? +
How do I check if I'm vulnerable to CVE-2025-1131? +
Related Vulnerabilities
To allow builds of Python to be run from an in-tree layout (rather than an installed file layout), the VPATH …
A misconfiguration in lmadmin.exe of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0) allows the OpenSSL configuration file to load …
Rufus is a utility that helps format and create bootable USB flash drives. A DLL hijacking vulnerability in Rufus 4.6.2208 …
DLL Search Order Hijacking vulnerability potentially allowed an attacker with administrator privileges to load a malicious dynamic-link library and execute …
Uncontrolled Search Path Element vulnerability in OpenText Secure Content Manager on Windows allows DLL Side-Loading.This issue affects Secure Content Manager: …
PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without …