cbcvebase.
CVE-2024-8503
published 2024-09-10

CVE-2024-8503: An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
79.06%
99.5th percentile
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.

Affected

1 ranges
VendorProductVersion rangeFixed in
vicidialvicidial

Detection & IOCsextracted from sources · hover to see the quote

url/VERM/VERM_AJAX_functions.php?function=log_custom_report
otherJywnJyxzbGVlcCg2KSk7IzpiYXI=
path/VERM/VERM_AJAX_functions.php
  • Detect unauthenticated GET requests to /VERM/VERM_AJAX_functions.php with function=log_custom_report; a time-based SQLi payload is delivered via the Authorization: Basic header (base64-encoded sleep() call). Look for response durations >= 6 seconds as a positive indicator.
  • The base64 value JywnJyxzbGVlcCg2KSk7IzpiYXI= decodes to a SQL sleep injection payload (',sleep(6));#:bar — flag any Authorization: Basic header on requests to VERM_AJAX_functions.php containing this or similar sleep() constructs.
  • Reconnaissance phase: attackers first probe /vicidial/welcome.php and confirm the presence of 'Agent Login', 'Timeclock', and 'Administration' strings before launching the SQLi. Correlate this GET with a subsequent request to VERM_AJAX_functions.php from the same source IP.
  • CVE-2024-8503 can be chained with CVE-2024-8504 (authenticated RCE) to achieve unauthenticated root-level command execution. Alert on sequential exploitation: SQLi credential dump followed by authenticated agent login and shell command activity.
  • A Metasploit auxiliary module exists for automated credential enumeration via this SQLi. Detect scanner-style repeated time-delayed requests to VERM_AJAX_functions.php from a single source IP, consistent with automated enumeration of database records.
  • FOFA fingerprint icon_hash="1375401192" is used by attackers to identify internet-exposed VICIdial instances. Monitor threat intel feeds for mass scanning activity targeting this fingerprint.
  • ·VICIdial stores credentials in plaintext by default, meaning successful SQLi exploitation directly yields usable cleartext usernames and passwords with no further cracking required.
  • ·The vulnerability is unauthenticated (no prior session or credentials needed), maximising the attack surface for any internet-exposed VICIdial instance.
  • ·The chained RCE (CVE-2024-8504) executes commands as root, so a full unauthenticated-to-root compromise path exists. Detection must cover both the SQLi phase and the subsequent authenticated RCE phase.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.