CVE-2025-34099 is an OS command injection vulnerability classified under CWE-78 and CWE-20, affecting VICIdial versions 2.9 RC1 through 2.13 RC1. The vulnerability exists in the vicidial_sales_viewer.php component when password encryption is enabled, a non-default configuration. The core issue is that the HTTP Basic Authentication password is passed directly to the PHP exec() function without adequate sanitization or validation, enabling an unauthenticated remote attacker to inject arbitrary operating system commands. This leads to command execution with the privileges of the web server user, potentially allowing full system compromise, data exfiltration, or service disruption. The vulnerability requires no authentication or user interaction, making exploitation straightforward over the network. Although the vulnerability was mitigated in 2017, systems that have not applied the fix remain vulnerable. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently in the wild, but the critical nature and ease of exploitation make this a high-risk issue for affected environments.

For European organizations, the impact of this vulnerability is significant, especially for those operating call centers or customer service platforms using VICIdial. Successful exploitation can lead to complete system compromise, unauthorized data access, and disruption of telephony services. Confidential customer data and call records could be exposed or manipulated, violating GDPR and other data protection regulations, leading to legal and financial penalties. The availability of call center services could be disrupted, impacting business operations and customer satisfaction. The ease of exploitation without authentication increases the risk of widespread attacks, including ransomware or lateral movement within corporate networks. Organizations relying on legacy VICIdial versions without mitigation are particularly vulnerable. The reputational damage and operational downtime could be severe, especially for sectors like finance, healthcare, and government services that depend on secure and reliable communication systems.

1. Immediately upgrade VICIdial installations to versions released after 2017 that include the mitigation for this vulnerability. 2. If upgrading is not immediately possible, disable password encryption in VICIdial configurations to avoid triggering the vulnerable code path. 3. Implement strict input validation and sanitization on all user inputs, especially those involved in authentication processes. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns targeting vicidial_sales_viewer.php. 5. Restrict network access to VICIdial web interfaces to trusted IP ranges and enforce strong network segmentation. 6. Monitor logs for unusual command execution or authentication attempts that could indicate exploitation attempts. 7. Conduct regular security audits and penetration tests focusing on telephony and call center infrastructure. 8. Educate IT and security teams about the risks of legacy telephony software and the importance of timely patching.