CVE-2021-47871
📋 TL;DR
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations on the server via the API endpoint. This can lead to SSH key injection, backdoor installation, or system compromise. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- Hestia Control Panel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via SSH key injection leading to root access, data theft, ransomware deployment, or complete system takeover.
Likely Case
Unauthorized file creation leading to backdoor installation, privilege escalation, or lateral movement within the hosting environment.
If Mitigated
Limited impact if proper authentication controls, file permission restrictions, and network segmentation are in place.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB and other sources. Attack requires valid authentication credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3 and later
Vendor Advisory: https://github.com/hestiacp/hestiacp
Restart Required: No
Instructions:
1. Backup your current configuration. 2. Update HestiaCP using the official update command: 'v-update-sys-hestia'. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict API Access
linuxTemporarily disable or restrict access to the vulnerable API endpoint until patching is possible.
# Add IP-based restrictions to /usr/local/hestia/web/api/index.php
# Or temporarily rename/move the file: mv /usr/local/hestia/web/api/index.php /usr/local/hestia/web/api/index.php.bak
File Permission Hardening
linuxSet restrictive permissions on sensitive directories to prevent arbitrary file writes.
chmod 750 /root
chmod 750 /home/*/.ssh
chmod 640 /home/*/.ssh/authorized_keys
🧯 If You Can't Patch
- Implement strict network segmentation to isolate HestiaCP instances from critical systems.
- Enforce multi-factor authentication and strong password policies for all control panel accounts.
🔍 How to Verify
Check if Vulnerable:
Check HestiaCP version: 'cat /usr/local/hestia/version' - if output shows 1.3.2, system is vulnerable.Check Version:
cat /usr/local/hestia/versionVerify Fix Applied:
After update, verify version shows 1.3.3 or higher: 'cat /usr/local/hestia/version'📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to /usr/local/hestia/web/api/index.php with v-make-tmp-file command
- Unauthorized file creation in /root/.ssh/ or other sensitive directories
- Failed SSH authentication attempts from new IP addresses
Network Indicators:
- Unusual outbound SSH connections from the HestiaCP server
- API requests from unexpected source IPs
SIEM Query:
source="/var/log/hestia/api.log" AND "v-make-tmp-file" OR source="/var/log/auth.log" AND "Failed password" AND new_ip