CVE-2025-34099

CRITICAL

VICIdial <2.13 RC1 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34099. PoCs published by Metasploit, including Metasploit module exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command execution vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 by injecting commands into the HTTP Basic authentication password field when password encryption is enabled. The exploit leverages improper input sanitization to execute arbitrary commands as the web server user.

Description

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/42370

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command execution vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 by injecting commands into the HTTP Basic authentication password field when password encryption is enabled. The exploit leverages improper input sanitization to execute arbitrary commands as the web server user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VICIdial 2.9 RC 1 to 2.13 RC1

No auth needed

Prerequisites: Password encryption enabled in VICIdial · Network access to the target VICIdial instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command execution vulnerability in VICIdial versions 2.9 RC 1 to 2.13 RC1 when password encryption is enabled. It leverages HTTP Basic Authentication to inject commands via the password field, which is passed to an exec() call.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: VICIdial 2.9 RC 1 to 2.13 RC1

No auth needed

Prerequisites: Password encryption enabled in VICIdial · Access to the VICIdial web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources

https://www.vicidial.org/VICIDIALmantis/view.php?id=1016

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/vicidial-unauth-command-injection

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/42370

Scores

CVSS v4 9.3

EPSS 0.0118

EPSS Percentile 63.6%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-78

Status published

Products (1)

VICIdial Group/VICIdial 2.9 RC1 - 2.13 RC1

Published Jul 10, 2025

Tracked Since Feb 18, 2026