CVE-2026-23741

Low

Published: 06 February 2026

Published

06 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 0.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N

EPSS Score 0.0004 12.3th percentile

Risk Priority 0 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23741 is a uncategorised-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sangoma Certified Asterisk. Its CVSS base score is 0.0.

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local untrusted config sourcing in root script directly enables privilege escalation from asterisk user to root via injected bash code.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script…

will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Deeper analysisAI

CVE-2026-23741 affects Asterisk, an open source private branch exchange and telephony toolkit, specifically in versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. The vulnerability (CWE-427: Untrusted Search Path) resides in the asterisk/contrib/scripts/ast_coredumper script, which executes as root and sources the contents of /etc/asterisk/ast_debug_tools.conf. This configuration file follows bash semantics and is located in a directory writable by the asterisk user:group.

A local attacker with write access to /etc/asterisk/ast_debug_tools.conf can modify or inject arbitrary bash code into the file. When the root-privileged ast_coredumper script runs, it sources the tampered file, resulting in execution of the attacker's code with root privileges. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N, indicating a local attack requiring low complexity and user interaction but with changed scope.

The issue has been patched in Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. Additional details are available in the GitHub security advisory at https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3.

Details

CWE(s): CWE-427

Affected Products

sangoma

asterisk

≤ 20.18.2 · 21.0.0 — 21.12.1 · 22.0.0 — 22.8.2

sangoma

certified asterisk

20.7 · ≤ 18.9

CVEs Like This One

CVE-2026-23740Same product: Sangoma Asterisk

CVE-2024-57520Same product: Sangoma Asterisk

CVE-2026-2360Shared CWE-427

CVE-2025-55210Same vendor: Sangoma

CVE-2026-2361Shared CWE-427

CVE-2026-42171Shared CWE-427

CVE-2026-4134Shared CWE-427

CVE-2026-3775Shared CWE-427

CVE-2025-24998Shared CWE-427

CVE-2024-9497Shared CWE-427

References

https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3
Vendor Advisory · security-advisories@github.com