Description

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

INFO

Published Date :

2025-07-10T19:10:18.695Z

Last Modified :

2026-04-07T14:09:28.274Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2025-34099 vulnerability.

Vendors Products
Vicidial
  • Vicidial
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34099.

URL Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb cve-icon cve-icon
https://vulncheck.com/advisories/vicidial-unauth-command-injection cve-icon cve-icon
https://www.exploit-db.com/exploits/42370 cve-icon cve-icon
https://www.vicidial.org/VICIDIALmantis/view.php?id=1016 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability