CVE-2025-34099: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in VICIdial Group VICIdial
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
AI Analysis
Technical Summary
This vulnerability involves improper neutralization of special elements in an OS command context (CWE-78) within VICIdial's vicidial_sales_viewer.php when password encryption is enabled. The application directly uses the HTTP Basic Authentication password in an exec() system call without adequate sanitization, enabling unauthenticated remote attackers to inject and execute arbitrary commands on the server. The affected versions are 2.9 RC1 through 2.13 RC1. Although the vulnerability was publicly documented in 2025, it was mitigated by the vendor in 2017. No patch links are provided, and the product is not a cloud service, so remediation depends on upgrading or applying vendor fixes from the mitigation timeframe.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary operating system commands with the privileges of the web server user. This can lead to full system compromise, data theft, or disruption of service. The vulnerability is critical due to its high CVSS score (9.3) and lack of required authentication for exploitation. However, the vendor mitigated this issue in 2017, reducing the risk for updated deployments.
Mitigation Recommendations
The vulnerability was mitigated by the vendor in 2017. Users should ensure they are running a version of VICIdial later than 2.13 RC1 or have applied the vendor's mitigation from that time. Since no official patch links are provided, verifying with the vendor's advisory or upgrading to a fixed version is recommended. No additional action is required if the mitigation is already applied.
CVE-2025-34099: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in VICIdial Group VICIdial
Description
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper neutralization of special elements in an OS command context (CWE-78) within VICIdial's vicidial_sales_viewer.php when password encryption is enabled. The application directly uses the HTTP Basic Authentication password in an exec() system call without adequate sanitization, enabling unauthenticated remote attackers to inject and execute arbitrary commands on the server. The affected versions are 2.9 RC1 through 2.13 RC1. Although the vulnerability was publicly documented in 2025, it was mitigated by the vendor in 2017. No patch links are provided, and the product is not a cloud service, so remediation depends on upgrading or applying vendor fixes from the mitigation timeframe.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary operating system commands with the privileges of the web server user. This can lead to full system compromise, data theft, or disruption of service. The vulnerability is critical due to its high CVSS score (9.3) and lack of required authentication for exploitation. However, the vendor mitigated this issue in 2017, reducing the risk for updated deployments.
Mitigation Recommendations
The vulnerability was mitigated by the vendor in 2017. Users should ensure they are running a version of VICIdial later than 2.13 RC1 or have applied the vendor's mitigation from that time. Since no official patch links are provided, verifying with the vendor's advisory or upgrading to a fixed version is recommended. No additional action is required if the mitigation is already applied.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2025-04-15T19:15:22.555Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 687014fca83201eaaca979db
Added to database: 7/10/2025, 7:31:08 PM
Last enriched: 4/7/2026, 11:01:16 PM
Last updated: 5/10/2026, 2:20:53 AM
Views: 121
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.