CVE-2021-43693
📋 TL;DR
CVE-2021-43693 is a file inclusion vulnerability in Vesta Control Panel that allows attackers to include arbitrary files from the server. This can lead to remote code execution by including malicious PHP files. All Vesta installations using version 0.9.8-24 with the vulnerable web/add/user/index.php file are affected.
💻 Affected Systems
- Vesta Control Panel
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with root-level access, data exfiltration, and complete control over the hosting environment and all hosted websites.
Likely Case
Remote code execution leading to website defacement, data theft, malware deployment, and creation of backdoors for persistent access.
If Mitigated
Limited impact with proper file permissions, web application firewalls, and restricted file upload capabilities preventing successful exploitation.
🎯 Exploit Status
The vulnerability is straightforward to exploit with publicly available proof-of-concept code. Attackers can use simple HTTP requests to trigger the file inclusion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 0.9.8-24
Vendor Advisory: https://github.com/serghey-rodin/vesta/issues/2052
Restart Required: No
Instructions:
1. Update Vesta Control Panel to the latest version. 2. Run: v-update-sys-vesta-all. 3. Verify the web/add/user/index.php file has been patched.
🔧 Temporary Workarounds
Remove vulnerable file
linuxTemporarily remove or rename the vulnerable file to prevent exploitation
mv /usr/local/vesta/web/add/user/index.php /usr/local/vesta/web/add/user/index.php.bak
Restrict file access
linuxUse web server configuration to block access to the vulnerable path
# Add to Apache config: <Location "/add/user/index.php">
Order deny,allow
Deny from all
</Location>
# Add to Nginx config: location ~ /add/user/index.php { deny all; }
🧯 If You Can't Patch
- Implement strict web application firewall rules to block requests to /add/user/index.php with suspicious parameters
- Disable the Vesta web interface entirely and use only command-line administration until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check if file /usr/local/vesta/web/add/user/index.php exists and contains vulnerable code patterns. Test with controlled file inclusion attempt using curl: curl -k 'https://target/add/user/index.php?some_parameter=../../../../etc/passwd'Check Version:
v-list-sys-vesta | grep VestaVerify Fix Applied:
Verify the vulnerable file has been updated or removed. Check Vesta version with: v-list-sys-vesta📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /add/user/index.php with file path traversal patterns
- Web server error logs showing file inclusion attempts
- Unusual PHP file execution from unexpected locations
Network Indicators:
- HTTP GET requests containing '../../' patterns in URL parameters
- Requests to the vulnerable endpoint from unusual IP addresses
SIEM Query:
source="web_access_logs" AND (url="/add/user/index.php" OR url LIKE "%/add/user/index.php%") AND (params LIKE "%..%" OR params LIKE "%../../%")