Show vulnerabilities with patch / with exploit

Authentication bypass in Vesta Control Panel

Published: 2018-04-09
Severity Critical
Patch available YES
Number of vulnerabilities 1
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Vesta Control Panel
Web applications / Remote management & hosting panels

Vendor Vesta Control Panel

Security Advisory

This security advisory describes one critical risk vulnerability.

1) Improper authentication

Severity: Critical

CVSSv3: 9.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]


CWE-ID: CWE-287 - Improper Authentication

Exploit availability: Yes [Search exploit]


The vulnerability allows a remote attacker to bypass authentication checks and gain full access to the affected system.

The vulnerability exists due to import validation of the authentication credentials in Vesta CP management interface. A remote unauthenticated attacker can send a specially crafted HTTP request to Vesta CP management interface, bypass authentication and gain full control over the affected server.

Note: this vulnerability is being actively exploited in the wild.

The attack was reportedly performed from IP addresses, located in China. The attackers created a file "/etc/cron.hourly/" on infected systems. If this file is present on your server, it means that you system has been compromised.


Install update from Vesta GIT repository:

Vulnerable software versions

Vesta Control Panel: 0.9.8-1, 0.9.8-2, 0.9.8-3, 0.9.8-4, 0.9.8-5, 0.9.8-6, 0.9.8-7, 0.9.8-8, 0.9.8-9, 0.9.8-10, 0.9.8-11, 0.9.8-12, 0.9.8-13, 0.9.8-14, 0.9.8-15, 0.9.8-16, 0.9.8-17, 0.9.8-18, 0.9.8-19

CPE External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

ImmuniWeb® AI Platform for Application Security Testing