CVE-2021-26758 – CVE-2021-26758 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2021-26758?

CVE-2021-26758 has a CVSS score of 8.8 (HIGH). CVE-2021-26758 is a privilege escalation vulnerability in OpenLiteSpeed web server version 1.7.8 that allows attackers to gain root terminal access and execute arbitrary commands on the host system. This affects organizations running vulnerable OpenLiteSpeed installations, particularly those with internet-facing web servers.

📋 TL;DR

CVE-2021-26758 is a privilege escalation vulnerability in OpenLiteSpeed web server version 1.7.8 that allows attackers to gain root terminal access and execute arbitrary commands on the host system. This affects organizations running vulnerable OpenLiteSpeed installations, particularly those with internet-facing web servers.

💻 Affected Systems

Products:

OpenLiteSpeed

Versions: Version 1.7.8 specifically

Operating Systems: Linux, Unix-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of OpenLiteSpeed 1.7.8. No special configuration is required for exploitation.

📦 What is this software?

Openlitespeed by Litespeedtech

View all CVEs affecting Openlitespeed →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level command execution, allowing attackers to install malware, exfiltrate data, pivot to other systems, or establish persistent backdoors.

🟠

Likely Case

Attackers gain root access to the web server host, enabling them to steal sensitive data, modify website content, or use the server as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal privileges, and intrusion detection systems in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH - Internet-facing OpenLiteSpeed servers are directly accessible to attackers, making them prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal servers are still vulnerable but require initial network access, reducing the attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on Exploit-DB (ID: 49556), making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.7.9 and later

Vendor Advisory: https://github.com/litespeedtech/openlitespeed/issues/217

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop OpenLiteSpeed service. 3. Update to OpenLiteSpeed 1.7.9 or later. 4. Restart OpenLiteSpeed service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to OpenLiteSpeed administration interface and vulnerable endpoints using firewall rules.

iptables -A INPUT -p tcp --dport 7080 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 7080 -j DROP

Service Account Hardening

linux

Run OpenLiteSpeed with a non-root service account and implement strict privilege separation.

useradd -r -s /bin/false openlitespeed_user
chown -R openlitespeed_user:openlitespeed_user /usr/local/lsws/

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable servers from critical systems
Deploy application-level firewalls (WAF) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check OpenLiteSpeed version: /usr/local/lsws/bin/openlitespeed -v | grep 'Version'

Check Version:

/usr/local/lsws/bin/openlitespeed -v | grep 'Version'

Verify Fix Applied:

Verify version is 1.7.9 or later: /usr/local/lsws/bin/openlitespeed -v | grep 'Version' and ensure it shows 1.7.9+

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Suspicious processes spawned by OpenLiteSpeed user
Failed privilege escalation attempts in auth logs

Network Indicators:

Unexpected outbound connections from web server
Traffic to known exploit command-and-control servers

SIEM Query:

source="openlitespeed.log" AND ("command injection" OR "privilege escalation" OR suspicious_command_patterns)

📊 Metadata

CVE ID: CVE-2021-26758

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: April 7, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.unsafe-inline.com/0day/openlitespeed-web-server-1.7.8-command-injection-to-privilege-escalation-cve-2021-26758 Exploit,Third Party Advisory
https://github.com/litespeedtech/openlitespeed/issues/217 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/49556 Exploit,Third Party Advisory,VDB Entry
https://docs.unsafe-inline.com/0day/openlitespeed-web-server-1.7.8-command-injection-to-privilege-escalation-cve-2021-26758 Exploit,Third Party Advisory
https://github.com/litespeedtech/openlitespeed/issues/217 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/49556 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26758, you might also want to check these: