CVE-2013-7382

VICIDIAL dialer <2.8-403a, 2.7, 2.7RC1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-7382. PoCs published by Metasploit.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in VICIdial's manager_send.php, leveraging SQL injection to bypass session checks and execute arbitrary commands. It includes authentication bypass via default credentials and session creation if necessary.

Description

VICIDIAL dialer (aka Asterisk GUI client) 2.8-403a, 2.7, 2.7RC1, and earlier has a hardcoded password of donotedit for the (1) VDAD and (2) VDCL users, which makes it easier for remote attackers to obtain access.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/29513

This Metasploit module exploits a command injection vulnerability in VICIdial's manager_send.php, leveraging SQL injection to bypass session checks and execute arbitrary commands. It includes authentication bypass via default credentials and session creation if necessary.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VICIdial (versions 2.7RC1, 2.7, 2.8-403a, and likely others)
Auth required
Prerequisites: Network access to the VICIdial web interface · Default or valid credentials for VICIdial or astGUIcient
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/10/23/10
Exploit mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2013/10/25/1
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/29513

Scores

EPSS 0.0279
EPSS Percentile 84.5%

Details

CWE
CWE-255
Status published
Products (2)
vicidial/vicidial 2.7 (2 CPE variants)
vicidial/vicidial < 2.8
Published May 17, 2014
Tracked Since Feb 18, 2026