CVE-2025-34099
published 2025-07-10CVE-2025-34099: An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when…
PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.18%
63.9th percentile
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vicidial_group | vicidial | 2.9 RC1 – 2.13 RC1 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb↗
- →Monitor HTTP Basic Authentication requests to vicidial_sales_viewer.php for shell metacharacters (e.g., ;, |, &&, $(), backticks) embedded in the password field, which are passed unsanitized to exec(). ↗
- →Alert on unauthenticated requests to vicidial_sales_viewer.php on VICIdial instances where password encryption is enabled; exploitation requires no prior authentication. ↗
- →Detect use of the public Metasploit module unix/webapp/vicidial_user_authorization_unauth_cmd_exec against VICIdial web endpoints. ↗
- →Correlate web server process spawning unexpected child OS processes (e.g., sh, bash, curl, wget) from the web server user account as a post-exploitation indicator. ↗
- ·The vulnerability is only exploitable when password encryption is enabled, which is NOT the default configuration. Instances running the default (non-encrypted password) configuration are not affected. ↗
- ·The vulnerability was mitigated in 2017; affected versions are 2.9 RC1 through 2.13 RC1. Detection efforts should focus on legacy or unpatched deployments. ↗
- ·Exploitation has been confirmed on CentOS running VICIdial 2.11 RC2 and 2.13 RC1; testing scope may not cover all OS/distribution combinations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rbhttps://vulncheck.com/advisories/vicidial-unauth-command-injectionhttps://www.exploit-db.com/exploits/42370https://www.vicidial.org/VICIDIALmantis/view.php?id=1016
2025-07-10
Published