CVE-2025-34099

CVE Database · CVE-2025-34099

CVE-2025-34099

· N/ADeferred

CVSS v3.1

N/A

CVSS v4.0

9.3

EPSS

1.18%

Published

Jul 10, 2025

Modified

Apr 14, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Weaknesses (CWE)

CWE-20CWE-78

References (4)

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb

https://vulncheck.com/advisories/vicidial-unauth-command-injection

https://www.exploit-db.com/exploits/42370

https://www.vicidial.org/VICIDIALmantis/view.php?id=1016

KEV Catalog EPSS Scores Vendors All CVEs