Description
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
Published: 2025-07-10
Score: 9.3 Critical
EPSS: 39.7% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated command injection flaw exists in VICIdial’s vicidial_sales_viewer.php when password encryption is enabled. The application forwards the Basic Authentication password directly to exec() without sanitization, allowing an attacker to embed arbitrary OS commands. Successful exploitation means the attacker can run any command as the web server user, compromising confidentiality, integrity, and availability of the affected system. The weakness is a classic input validation and OS command injection problem (CWE-20, CWE-78).

Affected Systems

VICIdial, versions 2.9 RC1 through 2.13 RC1, with password encryption enabled. The vulnerability is present whenever the non‑default password encryption feature is active; it does not affect installations that have disabled this option.

Risk and Exploitability

The CVSS score of 9.3 reflects high severity. An EPSS score of 40% indicates a moderate likelihood of exploitation in the wild. The flaw is not listed in CISA’s KEV catalog, but the combination of unauthenticated access and remote command execution makes it a significant risk. Attackers can exploit it remotely via HTTP Basic Authentication, forging the password field to inject commands. The vulnerability was reportedly mitigated in 2017, so older releases remain at risk.

Generated by OpenCVE AI on May 6, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade VICIdial to a release newer than 2.13 RC1 that contains the 2017 fix for this command injection flaw.
  • Disable the password encryption feature if it is not required, as the vulnerability only exists when that option is enabled.
  • Restrict network access to vicidial_sales_viewer.php to trusted IP ranges or internal networks so that only authorized hosts can contact the service.

Generated by OpenCVE AI on May 6, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21037 An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
History

Wed, 19 Nov 2025 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:vicidial:vicidial:*:*:*:*:*:*:*:*

Thu, 07 Aug 2025 13:45:00 +0000

Type Values Removed Values Added
Description An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00635}

 epss

{'score': 0.00726}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00694}

 epss

{'score': 0.00635}

Mon, 14 Jul 2025 15:30:00 +0000

Type Values Removed Values Added
References

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00694}

Thu, 10 Jul 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
Description An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user.
Title VICIdial vicidial_sales_viewer.php Unauthenticated Command Injection via Basic Auth Password
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Vicidial Vicidial
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:07:38.130Z

Reserved: 2025-04-15T19:15:22.555Z

Link: CVE-2025-34099

cve-icon Vulnrichment

Updated: 2025-07-14T14:51:47.762Z

cve-icon NVD

Status : Deferred

Published: 2025-07-10T20:15:25.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34099

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses