CVE-2026-2551
📋 TL;DR
A path traversal vulnerability in ZenTao's backup handler allows attackers to delete arbitrary files by manipulating the fileName parameter. This affects ZenTao installations up to version 21.7.8. Remote attackers can exploit this to delete critical system files.
💻 Affected Systems
- ZenTao
📦 What is this software?
Zentao by Zentao
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical files like configuration files, authentication databases, or system binaries, potentially causing service disruption or data loss.
Likely Case
Deletion of application files leading to service disruption, data loss, or privilege escalation by removing security controls.
If Mitigated
Limited impact if file permissions restrict deletion to non-critical files or if the vulnerable endpoint is not accessible.
🎯 Exploit Status
Exploit details are publicly disclosed. Attack requires access to the vulnerable endpoint but may not require authentication depending on ZenTao configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.7.9 or later
Vendor Advisory: https://github.com/ez-lbz/ez-lbz.github.io/issues/10
Restart Required: No
Instructions:
1. Upgrade ZenTao to version 21.7.9 or later. 2. Verify the patch by checking the version. 3. No restart required for PHP applications.
🔧 Temporary Workarounds
Restrict access to backup handler
allBlock access to the vulnerable editor/control.php endpoint using web server configuration or firewall rules.
# Apache: RewriteRule ^editor/control\.php - [F]
# Nginx: location ~ ^/editor/control\.php { deny all; }
Implement input validation
allAdd server-side validation to reject path traversal sequences in fileName parameter.
# PHP example: if (strpos($_POST['fileName'], '..') !== false) { die('Invalid input'); }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ZenTao from critical systems.
- Deploy file integrity monitoring to detect unauthorized file deletions.
🔍 How to Verify
Check if Vulnerable:
Check ZenTao version. If version ≤ 21.7.8 and the editor/control.php endpoint is accessible, the system is vulnerable.Check Version:
Check ZenTao admin panel or config files for version information.Verify Fix Applied:
Verify ZenTao version is ≥ 21.7.9. Test the vulnerable endpoint with path traversal payloads to confirm rejection.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to editor/control.php with fileName parameter containing '..' or similar path traversal sequences.
- Unexpected file deletion events in system logs.
Network Indicators:
- Unusual traffic patterns to the backup handler endpoint.
- Multiple failed deletion attempts indicating scanning.
SIEM Query:
source="web_logs" AND uri="/editor/control.php" AND (fileName="*..*" OR fileName="*/../*")