CVE-2025-56551 – This vulnerability in DirectAdmin v1.680 allows... (How to Fix)

Q: What is the severity of CVE-2025-56551?

CVE-2025-56551 has a CVSS score of 8.2 (HIGH). This vulnerability in DirectAdmin v1.680 allows unauthenticated attackers to manipulate the login page layout and replace it with malicious content via crafted GET requests. This enables phishing attacks where users may unknowingly submit credentials to attacker-controlled interfaces. All systems running the vulnerable DirectAdmin version are affected.

📋 TL;DR

This vulnerability in DirectAdmin v1.680 allows unauthenticated attackers to manipulate the login page layout and replace it with malicious content via crafted GET requests. This enables phishing attacks where users may unknowingly submit credentials to attacker-controlled interfaces. All systems running the vulnerable DirectAdmin version are affected.

💻 Affected Systems

Products:

DirectAdmin

Versions: v1.680

Operating Systems: Linux, FreeBSD

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of DirectAdmin v1.680 are vulnerable by default. The vulnerability affects the web control panel interface.

📦 What is this software?

Directadmin by Directadmin

View all CVEs affecting Directadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could replace the legitimate login interface with a perfect replica that captures user credentials, leading to full system compromise through credential theft and subsequent unauthorized access.

🟠

Likely Case

Attackers deploy phishing login pages to steal administrator credentials, potentially gaining control over the DirectAdmin panel and hosted websites.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to potential phishing attempts against users who access the vulnerable interface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires only a crafted GET request with no authentication. Public proof-of-concept images show exploitation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.681 or later

Vendor Advisory: https://www.directadmin.com/

Restart Required: No

Instructions:

1. Log into DirectAdmin as administrator. 2. Navigate to System Information > Update DirectAdmin. 3. Click 'Update DirectAdmin' button. 4. Verify update to v1.681 or later.

🔧 Temporary Workarounds

Restrict Access via Firewall

linux

Limit access to DirectAdmin panel to trusted IP addresses only

iptables -A INPUT -p tcp --dport 2222 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j DROP

Use Reverse Proxy with Input Validation

all

Deploy a reverse proxy that validates and sanitizes all GET parameters before forwarding to DirectAdmin

🧯 If You Can't Patch

Implement strict network access controls to limit DirectAdmin panel access to trusted IP addresses only
Deploy web application firewall rules to block requests with suspicious GET parameters targeting the login interface

🔍 How to Verify

Check if Vulnerable:

Check DirectAdmin version via command line: /usr/local/directadmin/directadmin version | grep 'Version='

Check Version:

/usr/local/directadmin/directadmin version | grep 'Version='

Verify Fix Applied:

Verify version is v1.681 or later: /usr/local/directadmin/directadmin version | grep -E 'Version=1\.(68[1-9]|69\d+)'

📡 Detection & Monitoring

Log Indicators:

Unusual GET requests to DirectAdmin login page with crafted parameters
Multiple failed login attempts from unexpected IP addresses

Network Indicators:

HTTP requests to DirectAdmin port (default 2222) with unusual GET parameters
Traffic patterns showing login page requests followed by credential submissions to different endpoints

SIEM Query:

source="directadmin_access.log" AND (uri="*login*" AND query="*crafted_parameter*") OR (status=200 AND uri="*login*" AND user_agent="*unusual*")

📊 Metadata

CVE ID: CVE-2025-56551

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-598

EPSS Score: 0.07% exploit probability (20.3th percentile)

Published: October 3, 2025

Last Updated: October 15, 2025

🔗 References

https://cxsecurity.com/issue/WLB-2025100001 Exploit,Third Party Advisory
https://i.imgur.com/4HF0cnP.png Product
https://i.imgur.com/qA6SAXO.png Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56551, you might also want to check these: