RCE in Vicidial Group

CVE-2025-34099

An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application impr…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.012 (63.9th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2025-34099?
CVE-2025-34099 is a vulnerability in Vicidial Group, classified under Improper Input Validation. Published 2025-07-10.
Is CVE-2025-34099 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.