CVE-2022-26499
Published: 15 April 2022
Summary
CVE-2022-26499 is a critical-severity SSRF (CWE-918) vulnerability in Digium Asterisk. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-26499 is a server-side request forgery vulnerability affecting the Asterisk telephony platform through the 19.x release series. When STIR/SHAKEN caller-identity validation is enabled, an attacker can supply a crafted Identity header that causes Asterisk to issue arbitrary outbound requests, including GETs, against arbitrary destinations such as localhost or other internal interfaces.
An unauthenticated remote attacker can exploit the flaw over the network without user interaction. Successful exploitation grants the ability to reach and interact with services that would otherwise be inaccessible, resulting in high impact to confidentiality and integrity while availability remains unaffected.
The Asterisk project published advisory AST-2022-002 detailing the issue and directing administrators to apply the patches released in versions 16.25.2, 18.11.2, and 19.3.2. Corresponding updates were also issued by Debian in DSA-5285 and the associated LTS announcement.
The EPSS probability rose materially from a low baseline to a peak of 0.1631 on 2025-01-22 before receding, indicating that exploitation interest emerged after disclosure and that the CVE warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-31057
Vulnerability details
An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.