cbcvebase.
CVE-2025-34099
published 2025-07-10

CVE-2025-34099: An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when…

PriorityP272critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.18%
63.9th percentile
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Affected

1 ranges
VendorProductVersion rangeFixed in
vicidial_groupvicidial2.9 RC1 – 2.13 RC1

Detection & IOCsextracted from sources · hover to see the quote

pathvicidial_sales_viewer.php
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb
  • Monitor HTTP Basic Authentication requests to vicidial_sales_viewer.php for shell metacharacters (e.g., ;, |, &&, $(), backticks) embedded in the password field, which are passed unsanitized to exec().
  • Alert on unauthenticated requests to vicidial_sales_viewer.php on VICIdial instances where password encryption is enabled; exploitation requires no prior authentication.
  • Detect use of the public Metasploit module unix/webapp/vicidial_user_authorization_unauth_cmd_exec against VICIdial web endpoints.
  • Correlate web server process spawning unexpected child OS processes (e.g., sh, bash, curl, wget) from the web server user account as a post-exploitation indicator.
  • ·The vulnerability is only exploitable when password encryption is enabled, which is NOT the default configuration. Instances running the default (non-encrypted password) configuration are not affected.
  • ·The vulnerability was mitigated in 2017; affected versions are 2.9 RC1 through 2.13 RC1. Detection efforts should focus on legacy or unpatched deployments.
  • ·Exploitation has been confirmed on CentOS running VICIdial 2.11 RC2 and 2.13 RC1; testing scope may not cover all OS/distribution combinations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.