CVE-2013-4468

VICIDIAL dialer <2.8-403a, 2.7, 2.7RC1 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-4468. PoCs published by Metasploit, including Metasploit module exploits/unix/webapp/vicidial_manager_send_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in VICIdial's manager_send.php, leveraging SQL injection to bypass session checks and execute arbitrary commands. It includes authentication bypass via default credentials and session creation if necessary.

Description

VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in the extension parameter in an OriginateVDRelogin action to manager_send.php.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/29513

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in VICIdial's manager_send.php, leveraging SQL injection to bypass session checks and execute arbitrary commands. It includes authentication bypass via default credentials and session creation if necessary.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: VICIdial (versions 2.7RC1, 2.7, 2.8-403a, and likely others)

Auth required

Prerequisites: Network access to the VICIdial web interface · Default or valid credentials for VICIdial or astGUIcient

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb