CVE-2025-34099
Published: 10 July 2025
Summary
CVE-2025-34099 is a critical-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2025-34099 is an unauthenticated command injection vulnerability affecting VICIdial versions 2.9 RC1 through 2.13 RC1. It resides in the vicidial_sales_viewer.php component and is triggered only when password encryption is enabled, a non-default setting. The application passes the HTTP Basic Authentication password directly to an exec() call without proper sanitization, enabling arbitrary operating system command execution as the web server user. The flaw is tracked under CWE-20 and CWE-78 and carries a CVSS 4.0 score of 9.3.
Remote attackers with no credentials can exploit the issue over the network by supplying a crafted Basic Authentication header, resulting in full command execution on the affected system. Because the vulnerability requires no user interaction or special privileges, successful exploitation can lead to complete compromise of the web server and any data accessible to that account.
Public references indicate the vulnerability was mitigated in 2017. Available advisories and patches from VICIdial, along with entries on Exploit-DB and VulnCheck, document the affected component and the configuration prerequisite. A Metasploit module also exists that implements the unauthenticated command injection vector.
The current and peak EPSS score of 0.4350 reflects sustained exploitation interest, consistent with the presence of public exploit code.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21037
Vulnerability details
An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to…
more
exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly implements checks on information inputs to reject invalid data before processing.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.