CVE-2024-8504

high-risk

Published 2024-09-10

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Do I need to act?

92.8% chance of exploitation in next 30 days

EPSS score — higher than 7% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

References (3)

https://korelogic.com/Resources/Advisories/KL-001-2024-012.txt

https://www.vicidial.org/vicidial.php

http://seclists.org/fulldisclosure/2024/Sep/26

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal