Cyber Resilience

CVE-2022-26499

CriticalPublic PoC

Published: 15 April 2022

Published
15 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0146 81.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-26499 is a critical-severity SSRF (CWE-918) vulnerability in Digium Asterisk. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-26499 is a server-side request forgery vulnerability affecting the Asterisk telephony platform through the 19.x release series. When STIR/SHAKEN caller-identity validation is enabled, an attacker can supply a crafted Identity header that causes Asterisk to issue arbitrary outbound requests, including GETs, against arbitrary destinations such as localhost or other internal interfaces.

An unauthenticated remote attacker can exploit the flaw over the network without user interaction. Successful exploitation grants the ability to reach and interact with services that would otherwise be inaccessible, resulting in high impact to confidentiality and integrity while availability remains unaffected.

The Asterisk project published advisory AST-2022-002 detailing the issue and directing administrators to apply the patches released in versions 16.25.2, 18.11.2, and 19.3.2. Corresponding updates were also issued by Debian in DSA-5285 and the associated LTS announcement.

The EPSS probability rose materially from a low baseline to a peak of 0.1631 on 2025-01-22 before receding, indicating that exploitation interest emerged after disclosure and that the CVE warrants renewed attention.

EU & UK References

Vulnerability details

An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

digium
asterisk
16.15.0 — 16.25.1 · 18.0 — 18.11.2 · 19.0.0 — 19.3.1
debian
debian linux
10.0, 11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References