CVE-2025-34099

CRITICAL

VICIdial <2.13 RC1 - Command Injection

Title source: llm

Description

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/42370

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

View Code ZIP pw:eip

References (4)

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

[Various Sources] https://www.vicidial.org/VICIDIALmantis/view.php?id=1016

[Third Party Advisory] https://vulncheck.com/advisories/vicidial-unauth-command-injection

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/42370

Scores

CVSS v4 9.3

EPSS 0.1999

EPSS Percentile 95.5%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-20 CWE-78

Status published

Products (1)

VICIdial Group/VICIdial 2.9 RC1 - 2.13 RC1

Published Jul 10, 2025

Tracked Since Feb 18, 2026