CVE-2024-8504
published 2024-09-10CVE-2024-8504: An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
75.38%
99.5th percentile
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
Detection & IOCsextracted from sources · hover to see the quote
url/vicidial/welcome.php
url/VERM/VERM_AJAX_functions.php?function=log_custom_report
otherAuthorization: Basic JywnJyxzbGVlcCg2KSk7IzpiYXI=
path/VERM/VERM_AJAX_functions.php
- →Detect time-based SQL injection attempts against VICIdial by monitoring for requests to /VERM/VERM_AJAX_functions.php with function=log_custom_report and a suspicious Authorization header containing the base64-encoded sleep payload (JywnJyxzbGVlcCg2KSk7IzpiYXI=).
- →The base64 value JywnJyxzbGVlcCg2KSk7IzpiYXI= decodes to a SQL sleep injection payload; flag any Authorization header to VERM_AJAX_functions.php containing this string.
- →CVE-2024-8504 can be chained with CVE-2024-8503: first exploit the unauthenticated SQL injection to extract plaintext credentials from the VICIdial database, then use those credentials to authenticate as an agent and achieve RCE as root. ↗
- →VICIdial stores plaintext credentials in its database by default; successful exploitation of the SQL injection (CVE-2024-8503) directly yields usable credentials for the authenticated RCE stage (CVE-2024-8504).
- →Use the FOFA fingerprint icon_hash="1375401192" to identify internet-exposed VICIdial instances for proactive asset discovery and patching prioritization.
- →A Metasploit module exists for the authenticated RCE component (CVE-2024-8504); monitor for exploitation attempts via unix/webapp/vicidial_agent_authenticated_rce. ↗
- →Probe for VICIdial login page presence by checking HTTP 200 responses from /vicidial/welcome.php whose body contains all three strings: 'Agent Login', 'Timeclock', and 'Administration'.
- ·The Nuclei template targets CVE-2024-8503 (SQL injection) with a 20-second timeout to accommodate the sleep(6) time-based payload; adjust timeout thresholds in detection tooling accordingly to avoid false negatives on slow networks.
- ·Detection of the time-based SQLi relies on response duration >= 6 seconds; network latency or server load may cause false positives or false negatives in duration-based detections.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
VICIdial - SQL Injection
nuclei·CVSS 9.8
CVE-2024-8503 [CRITICAL] VICIdial - SQL Injection
VICIdial - SQL Injection
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
Template:
id: CVE-2024-8503
info:
name: VICIdial - SQL Injection
author: s4e-io
severity: critical
description: |
An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records. By default, VICIdial stores plaintext credentials within the database.
impact: |
Unauthenticated attackers can exploit SQL injection to enumerate database records and extract plaintext credentials stored by VICIdial, leading to complete system compromise and unauthorized access to the call center platform.
remediation: |
Apply securit
Metasploit
VICIdial Authenticated Remote Code Execution
metasploit·CVSS 9.8
CVE-2024-8503 [CRITICAL] VICIdial Authenticated Remote Code Execution
VICIdial Authenticated Remote Code Execution
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.
2024-09-10
Published