CVE-2024-8504

HIGH

VICIdial Agent Interface - Authenticated Root Command Execution

Title source: manual

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-8504. PoCs published by Chocapikk, havokzero, Valentin Lobstein, Jaggar Henry of KoreLogic, Inc., including Metasploit module exploits/unix/webapp/vicidial_agent_authenticated_rce.

AI-analyzed exploit summary This repository contains a combined exploit for CVE-2024-8503 (unauthenticated SQLi) and CVE-2024-8504 (authenticated RCE) in VICIdial. The exploit retrieves admin credentials via SQLi and achieves RCE via poisoned recording files.

Description

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Exploits (3)

nomisec WORKING POC 41 stars

by Chocapikk · poc

https://github.com/Chocapikk/CVE-2024-8504

View Code ZIP pw:eip

This repository contains a combined exploit for CVE-2024-8503 (unauthenticated SQLi) and CVE-2024-8504 (authenticated RCE) in VICIdial. The exploit retrieves admin credentials via SQLi and achieves RCE via poisoned recording files.

Classification

Working Poc 95%

Attack Type

Sqli | Rce

Complexity

Moderate

Reliability

Reliable

Target: VICIdial

No auth needed

Prerequisites: Python 3.10+ · Vulnerable VICIdial instance · Server with open ports for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 5 stars

by havokzero · poc

https://github.com/havokzero/ViciDial

View Code ZIP pw:eip

The repository contains a functional exploit suite for ViciDial, featuring SQL injection for credential extraction and remote code execution capabilities. It includes API interaction modules for post-exploitation activities.

Classification

Working Poc 90%

Attack Type

Sqli | Rce

Complexity

Moderate

Reliability

Reliable

Target: ViciDial

No auth needed

Prerequisites: Network access to the target ViciDial server · Vulnerable ViciDial installation

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Valentin Lobstein, Jaggar Henry of KoreLogic, Inc. · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_agent_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in VICIdial (CVE-2024-8504) by chaining multiple steps, including authentication, privilege escalation, and payload execution via a cron job. It requires valid admin credentials and targets versions <= 2.14-917a.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: VICIdial <= 2.14-917a

Auth required

Prerequisites: Valid admin credentials · Access to VICIdial admin interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List

http://seclists.org/fulldisclosure/2024/Sep/26

Various Sources third-party-advisory

https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt

Various Sources product

https://www.vicidial.org/vicidial.php

Scores

CVSS v3 8.8

EPSS 0.9308

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

VICIdial/VICIdial 2.14-917a

Published Sep 10, 2024

Tracked Since Feb 18, 2026