How to fix CVE-2025-34099?

Within 24 hours: Identify all systems running VICIdial 2.9-2.13 RC1 with password encryption enabled and isolate them from production networks if possible; enable detailed logging and monitor for exploitation attempts. Within 7 days: Implement WAF rules to block malicious HTTP Basic Auth payloads; disable password encryption if operationally feasible; consider upgrading to VICIdial 2.14 or later, or deploy network segmentation to restrict access to VICIdial to trusted networks only. Within 30 days: Complete upgrade to patched VICIdial version or implement comprehensive compensating controls; conduct forensic analysis to determine if systems were previously compromised.

Is PHP affected by CVE-2025-34099?

A critical unauthenticated remote code execution vulnerability affects VICIdial call center software versions 2.9 through 2.13 RC1 when password encryption is enabled.

CVE-2025-34099

EUVD-2025-21037 CRITICAL

2025-07-10 [email protected]

9.3

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21037

PoC Detected

Aug 07, 2025 - 14:15 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

CRITICAL 9.3

Description

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

Analysis

VICIdial call center software versions 2.9 RC1 through 2.13 RC1 contain an unauthenticated command injection in vicidial_sales_viewer.php when password encryption is enabled. The HTTP Basic Authentication password is passed directly to OS commands without sanitization, enabling remote code execution on the call center server.

Technical Context

When password encryption is enabled (non-default), the vicidial_sales_viewer.php script passes the HTTP Basic Authentication password to an OS command for decryption. Shell metacharacters in the password field allow command injection. The attack requires password encryption to be enabled, which is a common hardening step.

Affected Products

['VICIdial 2.9 RC1 through 2.13 RC1 (with password encryption enabled)']

Remediation

Update VICIdial to the latest version. If encryption is needed, implement secure password handling without shell execution. Restrict web interface access to trusted networks.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +20.0

CVSS: +46

POC: +20

CVE-2025-34099 vulnerability details – vuln.today

Back

CVE-2025-34099

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-34099

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code