What is the CVSS score of CVE-2025-34099?

CVE-2025-34099 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 20.0%.

Which versions of PHP are affected by CVE-2025-34099?

A critical unauthenticated remote code execution vulnerability affects VICIdial call center software versions 2.9 through 2.13 RC1 when password encryption is enabled.

Is there a public PoC exploit available for CVE-2025-34099?

Yes, a public proof-of-concept exploit is available for CVE-2025-34099. Prioritise patching immediately. EPSS: 20.0%.

How to fix or mitigate CVE-2025-34099?

Within 24 hours: Identify all systems running VICIdial 2.9-2.13 RC1 with password encryption enabled and isolate them from production networks if possible; enable detailed logging and monitor for exploitation attempts. Within 7 days: Implement WAF rules to block malicious HTTP Basic Auth payloads; disable password encryption if operationally feasible; consider upgrading to VICIdial 2.14 or later, or deploy network segmentation to restrict access to VICIdial to trusted networks only. Within 30 days: Complete upgrade to patched VICIdial version or implement comprehensive compensating controls; conduct forensic analysis to determine if systems were previously compromised.

PHP CVE-2025-34099

EUVD-2025-21037 CRITICAL

Improper Input Validation (CWE-20)

2025-07-10 disclosure@vulncheck.com

PHP Command Injection

9.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21037

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

PoC Detected

Aug 07, 2025 - 14:15 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

CRITICAL 9.3

DescriptionNVD

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. NOTE: This vulnerability was mitigated in 2017.

AnalysisAI

VICIdial call center software versions 2.9 RC1 through 2.13 RC1 contain an unauthenticated command injection in vicidial_sales_viewer.php when password encryption is enabled. The HTTP Basic Authentication password is passed directly to OS commands without sanitization, enabling remote code execution on the call center server.

Technical ContextAI

When password encryption is enabled (non-default), the vicidial_sales_viewer.php script passes the HTTP Basic Authentication password to an OS command for decryption. Shell metacharacters in the password field allow command injection. The attack requires password encryption to be enabled, which is a common hardening step.

RemediationAI

Update VICIdial to the latest version. If encryption is needed, implement secure password handling without shell execution. Restrict web interface access to trusted networks.

CVE-2025-34099 vulnerability details – vuln.today

Back