CVE-2020-10808
Description
VestaCP 0.9.8-26 has a command injection in the backup listing endpoint via crafted filenames, enabling authenticated RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
VestaCP 0.9.8-26 has a command injection in the backup listing endpoint via crafted filenames, enabling authenticated RCE.
Vulnerability
Vesta Control Panel (VestaCP) through version 0.9.8-26 suffers from a command injection vulnerability in the schedule/backup Backup Listing Endpoint [2]. The issue arises because the application executes bash scripts via exec() calls using user-controlled input without proper sanitization beyond escapeshellarg() in some cases, but the backup listing endpoint processes filenames that are not sanitized at all [1][2]. An attacker must first be able to create a crafted filename on the server—this can be achieved via FTP by uploading a file with a name containing shell metacharacters, such as renaming .bash_logout to .bash_logout' followed by $() or backticks [2]. The vulnerable version is 0.9.8-26 and earlier [1].
Exploitation
An attacker needs authenticated access to VestaCP (as a user with FTP and web panel credentials) and the ability to write files via FTP [1]. The attack sequence is: 1) Authenticate to the FTP service and upload a file with a crafted filename that includes shell metacharacters, such as ;id; or backtick commands. 2) Trigger the backup listing endpoint via the web interface, which reads the filename and passes it unsanitized into a shell command. 3) The payload is executed as part of the backup listing process, deploying a first-stage stager (e.g., a Python meterpreter). 4) The stager then fetches a second-stage payload (e.g., a shell script via curl) and executes it, achieving remote code execution [1][2]. The Metasploit module automates these steps, with a delay of up to 5 minutes for the backup process to trigger [1].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands as the admin user (who has sudo privileges) on the VestaCP server [2]. This leads to full compromise of the VestaCP instance and the underlying system, including data disclosure, modification, and denial of service, effectively achieving remote code execution (RCE) with root-level privileges [1][2].
Mitigation
As of the publication date (2020-03-22), no official patch was available for VestaCP 0.9.8-26 [1][2]. Users are advised to restrict access to the VestaCP web interface and FTP service to trusted networks only, and to monitor for unauthorized file uploads. The vendor has not released a fixed version; updating to a later version if available is recommended. This vulnerability has been added to the Metasploit Framework (exploit/linux/http/vestacp_exec), indicating active exploitation risk [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- VestaCP/Vesta Control Paneldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `v-list-user-backup` bash script passes user-controlled filenames from `backup.conf` directly to `eval`, allowing command injection."
Attack vector
An attacker with FTP access to their VestaCP home directory renames a dotfile (e.g., `.bash_logout`) to a name containing shell metacharacters, such as `.bash_logout';$(sleep${IFS}1337);'`. When the victim triggers a backup via the web panel, the `v-backup-user` script writes the malicious filename into the `udir_list` field of `backup.conf`. Later, when the backup listing endpoint (`/list/backup/`) is accessed, the `v-list-user-backup` script reads `backup.conf` and passes it to `eval`, executing the attacker's injected command as root. [ref_id=1]
Affected code
The vulnerability resides in the `v-list-user-backup` bash script, which reads the user's `backup.conf` file and passes its content to `eval`. The `backup.conf` file is written by the `v-backup-user` script, which includes the `udir_list` variable populated from filenames in the user's home directory. The affected endpoint is `/schedule/backup/` and `/list/backup/` in the VestaCP web panel. [ref_id=1]
What the fix does
The advisory does not provide a patch diff. The recommended fix is to avoid using `eval` on untrusted data in `v-list-user-backup` and to sanitize or escape filenames before writing them into `backup.conf`. Additionally, filenames containing shell metacharacters should be rejected or properly quoted. [ref_id=1]
Preconditions
- authAttacker must have FTP or shell access to their VestaCP user home directory to rename a file
- inputAttacker must be able to create a filename containing single quotes and shell metacharacters
- configA backup must be triggered (via the web panel or scheduled) to write the malicious filename into backup.conf
- networkThe victim or attacker must access the /list/backup/ endpoint to trigger eval
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- packetstormsecurity.com/files/157111/Vesta-Control-Panel-Authenticated-Remote-Code-Execution.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/157219/Vesta-Control-Panel-Authenticated-Remote-Code-Execution.htmlmitrex_refsource_MISC
- forum.vestacp.com/viewforum.phpmitrex_refsource_MISC
- github.com/rapid7/metasploit-framework/pull/13094mitrex_refsource_MISC
- pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.