Cyber Resilience

CVE-2026-23741

Low

Published: 06 February 2026

Published
06 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 0.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
EPSS Score 0.0017 6.9th percentile
Risk Priority 0 floored blend · peak EPSS

Summary

CVE-2026-23741 is a uncategorised-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sangoma Certified Asterisk. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-23741 affects Asterisk, an open source private branch exchange and telephony toolkit, specifically in versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. The vulnerability (CWE-427: Untrusted Search Path) resides in the asterisk/contrib/scripts/ast_coredumper script, which executes as root and sources the contents of /etc/asterisk/ast_debug_tools.conf. This configuration file follows bash semantics and is located in a directory writable by the asterisk user:group.

A local attacker with write access to /etc/asterisk/ast_debug_tools.conf can modify or inject arbitrary bash code into the file. When the root-privileged ast_coredumper script runs, it sources the tampered file, resulting in execution of the attacker's code with root privileges. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N, indicating a local attack requiring low complexity and user interaction but with changed scope.

The issue has been patched in Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Additional details are available in the GitHub security advisory at https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script…

more

will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local untrusted config sourcing in root script directly enables privilege escalation from asterisk user to root via injected bash code.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23740Same product: Sangoma Asterisk
CVE-2024-57520Same product: Sangoma Asterisk
CVE-2025-55210Same vendor: Sangoma
CVE-2026-2361Shared CWE-427
CVE-2026-4134Shared CWE-427
CVE-2026-42171Shared CWE-427
CVE-2026-2360Shared CWE-427
CVE-2026-28284Same vendor: Sangoma
CVE-2026-7279Shared CWE-427
CVE-2026-28210Same vendor: Sangoma

Affected Assets

sangoma
asterisk
≤ 20.18.2 · 21.0.0 — 21.12.1 · 22.0.0 — 22.8.2
sangoma
certified asterisk
20.7 · ≤ 18.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the root-owned ast_coredumper from sourcing and executing code in a file writable by the lower-privileged asterisk user.

prevent

Enforces that only authorized (root) subjects may modify /etc/asterisk/ast_debug_tools.conf or influence the privileged script's execution.

prevent

Restricts modification of the configuration file and script to authorized administrators, blocking the untrusted-search-path vector.

References