CVE-2024-8503
published 2024-09-10CVE-2024-8503: An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.06%
99.5th percentile
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vicidial | vicidial | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /VERM/VERM_AJAX_functions.php with function=log_custom_report; a time-based SQLi payload is delivered via the Authorization: Basic header (base64-encoded sleep() call). Look for response durations >= 6 seconds as a positive indicator. ↗
- →The base64 value JywnJyxzbGVlcCg2KSk7IzpiYXI= decodes to a SQL sleep injection payload (',sleep(6));#:bar — flag any Authorization: Basic header on requests to VERM_AJAX_functions.php containing this or similar sleep() constructs. ↗
- →Reconnaissance phase: attackers first probe /vicidial/welcome.php and confirm the presence of 'Agent Login', 'Timeclock', and 'Administration' strings before launching the SQLi. Correlate this GET with a subsequent request to VERM_AJAX_functions.php from the same source IP. ↗
- →CVE-2024-8503 can be chained with CVE-2024-8504 (authenticated RCE) to achieve unauthenticated root-level command execution. Alert on sequential exploitation: SQLi credential dump followed by authenticated agent login and shell command activity. ↗
- →A Metasploit auxiliary module exists for automated credential enumeration via this SQLi. Detect scanner-style repeated time-delayed requests to VERM_AJAX_functions.php from a single source IP, consistent with automated enumeration of database records. ↗
- →FOFA fingerprint icon_hash="1375401192" is used by attackers to identify internet-exposed VICIdial instances. Monitor threat intel feeds for mass scanning activity targeting this fingerprint. ↗
- ·VICIdial stores credentials in plaintext by default, meaning successful SQLi exploitation directly yields usable cleartext usernames and passwords with no further cracking required. ↗
- ·The vulnerability is unauthenticated (no prior session or credentials needed), maximising the attack surface for any internet-exposed VICIdial instance. ↗
- ·The chained RCE (CVE-2024-8504) executes commands as root, so a full unauthenticated-to-root compromise path exists. Detection must cover both the SQLi phase and the subsequent authenticated RCE phase. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5qf6-wqm9-p35x: An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records
ghsa_unreviewed·2024-09-10
CVE-2024-8503 [CRITICAL] CWE-89 GHSA-5qf6-wqm9-p35x: An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
GHSA
GHSA-r47m-g4vh-pxf6: An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user
ghsa_unreviewed·2024-09-10·CVSS 9.8
CVE-2024-8504 [CRITICAL] CWE-78 GHSA-r47m-g4vh-pxf6: An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
VulnCheck
vicidial vicidial Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2024·CVSS 9.8
CVE-2024-8503 [CRITICAL] vicidial vicidial Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vicidial vicidial Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Affected: vicidial vicidial
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cyble.com/blog/cyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras/; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Exploit PoC: https://vulncheck.com/xdb/38fdf14467eb
No detection rules found.
Metasploit
Vicidial SQL Injection Time-based Admin Credentials Enumeration
metasploit
Vicidial SQL Injection Time-based Admin Credentials Enumeration
Vicidial SQL Injection Time-based Admin Credentials Enumeration
This module exploits a time-based SQL injection vulnerability in VICIdial, allowing attackers to dump admin credentials (usernames and passwords) via SQL injection.
Nuclei
VICIdial - SQL Injection
nuclei·CVSS 9.8
CVE-2024-8503 [CRITICAL] VICIdial - SQL Injection
VICIdial - SQL Injection
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Template:
id: CVE-2024-8503
info:
name: VICIdial - SQL Injection
author: s4e-io
severity: critical
description: |
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
impact: |
Unauthenticated attackers can exploit SQL injection to enumerate database records and extract plaintext credentials stored by VICIdial, leading to complete system compromise and unauthorized access to the call center platform.
remediation: |
Apply securit
Metasploit
VICIdial Authenticated Remote Code Execution
metasploit·CVSS 9.8
CVE-2024-8503 [CRITICAL] VICIdial Authenticated Remote Code Execution
VICIdial Authenticated Remote Code Execution
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
2024-09-10
Published
Exploited in the wild