CVE-2025-34099

VICIdial <2.13 RC1 - Command Injection

Title source: llm

Description

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/42370

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

View Code ZIP pw:eip

References (4)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

[Various Sources] https://www.vicidial.org/VICIDIALmantis/view.php?id=1016

[Third Party Advisory] https://vulncheck.com/advisories/vicidial-unauth-command-injection

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/42370

Scores

EPSS 0.1999

EPSS Percentile 95.4%

Classification

CWE

CWE-78 CWE-20

Status draft

Timeline

Published Jul 10, 2025

Tracked Since Feb 18, 2026