CVE-2025-34099 is a critical unauthenticated OS command injection vulnerability affecting VICIdial versions 2.9 RC1 through 2.13 RC1, specifically within the vicidial_sales_viewer.php component when password encryption is enabled—a non-default configuration. The vulnerability arises because the application improperly passes the HTTP Basic Authentication password directly to the exec() function without proper sanitization. This flaw allows remote attackers to inject arbitrary operating system commands that execute with the privileges of the web server user, potentially leading to full system compromise. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-20 (Improper Input Validation). The CVSS 4.0 base score is 9.3, reflecting its critical severity, with an attack vector of network (no authentication or user interaction required), and high impact on confidentiality, integrity, and availability. Although this vulnerability was mitigated in 2017, the published date of 2025 suggests either a re-discovery or a new variant affecting older versions still in use. No known exploits are currently reported in the wild, but the ease of exploitation and severity make it a significant threat to organizations running vulnerable VICIdial versions with password encryption enabled.

For European organizations using VICIdial versions 2.9 RC1 through 2.13 RC1 with password encryption enabled, this vulnerability poses a severe risk. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to compromise call center infrastructure, intercept or manipulate sensitive customer data, disrupt telephony services, or pivot to other internal systems. This can result in data breaches, service outages, reputational damage, and regulatory non-compliance under GDPR due to exposure of personal data. The critical nature of the vulnerability means that even organizations with strong perimeter defenses are at risk if the vulnerable VICIdial instance is exposed to the internet or accessible from internal networks. The lack of authentication and user interaction requirements further increases the threat surface. Given the role of VICIdial in telephony and customer relationship management, disruption or compromise could have direct operational and financial impacts.

1. Immediate upgrade or patching: Organizations should upgrade VICIdial to a version released after the 2017 mitigation or apply any available security patches that address this vulnerability. If no official patch exists for the affected versions, consider disabling password encryption or reverting to default configurations until an upgrade is possible. 2. Input validation and sanitization: Review and harden any custom code or configurations that handle authentication credentials to ensure no direct execution of unsanitized inputs occurs. 3. Network segmentation: Restrict access to VICIdial web interfaces to trusted internal networks or VPNs to reduce exposure to remote attackers. 4. Web application firewall (WAF): Deploy and configure WAF rules to detect and block command injection patterns targeting vicidial_sales_viewer.php or related endpoints. 5. Monitoring and logging: Enable detailed logging of web server and application activity to detect suspicious command execution attempts. 6. Incident response readiness: Prepare to isolate affected systems and conduct forensic analysis if exploitation is suspected. 7. Disable or limit HTTP Basic Authentication usage if possible, or replace it with more secure authentication mechanisms.