CVE-2024-8503

CRITICAL EXPLOITED NUCLEI

VICIdial Authenticated Remote Code Execution

Title source: metasploit

Exploitation Summary

CVE-2024-8503 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including Chocapikk, Machine-farmer, Valentin Lobstein, Jaggar Henry of KoreLogic, Inc., including a Metasploit module auxiliary/scanner/http/vicidial_sql_enum_users_pass. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-8503 (SQLi) and CVE-2024-8504 (RCE) in VICIdial. The exploit allows unauthenticated SQL injection to retrieve admin credentials and authenticated RCE via poisoned recording files.

Description

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

Exploits (4)

github WORKING POC 41 stars

by Chocapikk · pythonremote

https://github.com/Chocapikk/CVE-2024-8504

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-8503 (SQLi) and CVE-2024-8504 (RCE) in VICIdial. The exploit allows unauthenticated SQL injection to retrieve admin credentials and authenticated RCE via poisoned recording files.

Classification

Working Poc 95%

Attack Type

Sqli | Rce

Complexity

Moderate

Reliability

Reliable

Target: VICIdial

No auth needed

Prerequisites: Python 3.10+ · Vulnerable VICIdial instance · Open ports for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC

by Machine-farmer · pythoninfoleak

https://github.com/Machine-farmer/vicidial-cve-2024-8503-blind-sqli-poc

View Code ZIP pw:eip

The repository contains a functional Python-based PoC for CVE-2024-8503, an unauthenticated blind SQL injection vulnerability in VICIdial's VERM_AJAX_functions.php. The tool includes state management for resumable scans, metadata extraction, and strict limits to prevent abuse.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: VICIdial (specific version not specified)

No auth needed

Prerequisites: Network access to the target VICIdial instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 29, 2026 Full analysis →

metasploit WORKING POC

by Valentin Lobstein, Jaggar Henry of KoreLogic, Inc. · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/vicidial_sql_enum_users_pass.rb

View Code ZIP pw:eip

This Metasploit module exploits a time-based SQL injection vulnerability in VICIdial to enumerate admin credentials (usernames and passwords) from the 'vicidial_users' table. It uses a blind SQL injection technique with a delay-based payload to extract data.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: VICIdial (version not specified)

No auth needed

Prerequisites: Network access to the target VICIdial instance · SQL injection vulnerability in the 'log_custom_report' function

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Valentin Lobstein, Jaggar Henry of KoreLogic, Inc. · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in VICIdial (CVE-2024-8504) by chaining multiple steps, including authentication, privilege escalation, and payload delivery via a malicious recording. It requires admin credentials and leverages cron job execution for command execution as root.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: VICIdial versions up to 2.14-917a

Auth required

Prerequisites: Valid admin credentials · Network access to the VICIdial web interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1078 - Valid Accounts T1053 - Scheduled Task/Job

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VICIdial - SQL Injection

CRITICALVERIFIEDby s4e-io

FOFA: icon_hash="1375401192"

References (4)

Core 4

Core References

Mailing List

http://seclists.org/fulldisclosure/2024/Sep/25

Mailing List

http://seclists.org/fulldisclosure/2024/Sep/26

Various Sources third-party-advisory

https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt

Various Sources product

https://www.vicidial.org/vicidial.php

Scores

CVSS v3 9.8

EPSS 0.7917

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-03-19

CWE

CWE-89

Status published

Products (1)

VICIdial/VICIdial 2.14-917a

Published Sep 10, 2024

Tracked Since Feb 18, 2026