In AIC 7.3.10 version the Application-level passwords are discoverable which is highlighted as security risk. The AIC client/application uses a database account to maintain its data. The aicadmin account and its hash is hardcoded in the configuration files (e.g., vesp.imp). Every Vodafone Call Center employee can obtain this information from the files.

The client connects to the database with this account and queries the data of its application-level user. By modifying the network data packets, the logged-in user can learn the password of another user. If the admin password is decrypted, all the application data can be read and modified.