cbcvebase.
CVE-2024-8504
published 2024-09-10

CVE-2024-8504: An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
75.38%
99.5th percentile
An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Detection & IOCsextracted from sources · hover to see the quote

url/vicidial/welcome.php
url/VERM/VERM_AJAX_functions.php?function=log_custom_report
otherAuthorization: Basic JywnJyxzbGVlcCg2KSk7IzpiYXI=
path/VERM/VERM_AJAX_functions.php
  • Detect time-based SQL injection attempts against VICIdial by monitoring for requests to /VERM/VERM_AJAX_functions.php with function=log_custom_report and a suspicious Authorization header containing the base64-encoded sleep payload (JywnJyxzbGVlcCg2KSk7IzpiYXI=).
  • The base64 value JywnJyxzbGVlcCg2KSk7IzpiYXI= decodes to a SQL sleep injection payload; flag any Authorization header to VERM_AJAX_functions.php containing this string.
  • CVE-2024-8504 can be chained with CVE-2024-8503: first exploit the unauthenticated SQL injection to extract plaintext credentials from the VICIdial database, then use those credentials to authenticate as an agent and achieve RCE as root.
  • VICIdial stores plaintext credentials in its database by default; successful exploitation of the SQL injection (CVE-2024-8503) directly yields usable credentials for the authenticated RCE stage (CVE-2024-8504).
  • Use the FOFA fingerprint icon_hash="1375401192" to identify internet-exposed VICIdial instances for proactive asset discovery and patching prioritization.
  • A Metasploit module exists for the authenticated RCE component (CVE-2024-8504); monitor for exploitation attempts via unix/webapp/vicidial_agent_authenticated_rce.
  • Probe for VICIdial login page presence by checking HTTP 200 responses from /vicidial/welcome.php whose body contains all three strings: 'Agent Login', 'Timeclock', and 'Administration'.
  • ·The Nuclei template targets CVE-2024-8503 (SQL injection) with a 20-second timeout to accommodate the sleep(6) time-based payload; adjust timeout thresholds in detection tooling accordingly to avoid false negatives on slow networks.
  • ·Detection of the time-based SQLi relies on response duration >= 6 seconds; network latency or server load may cause false positives or false negatives in duration-based detections.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.