CVE-2021-30463

Vulnerability

VestaCP versions 0.9.8-24 and prior contain a privilege escalation vulnerability due to unsafe use of chmod that allows an authenticated user to create symbolic links to files for which they normally lack read permissions [1]. By crafting a symlink to /usr/local/vesta/data/users/admin/user.conf, an attacker can read the RKEY (reset key) parameter, which is used to authorize password changes via the /reset/?action=confirm&user=admin&code= URI.

Exploitation

An attacker with a valid VestaCP user account (e.g., user1) can obtain a shell on the server, for instance by creating a cron job that executes a reverse shell [1]. With shell access, the attacker navigates to their web directory and creates a domain folder, then places a symlink pointing to the admin's user.conf. When the VestaCP panel performs a chmod operation on that file (due to the unsafe implementation), the symlink target becomes readable. The attacker reads the RKEY value, then triggers a password reset request using the /reset/?action=confirm&user=admin&code= URI, thereby changing the admin password without authorization.

Impact

Successful exploitation grants the attacker administrative privileges within the VestaCP panel. As admin, the attacker can manage all system users, modify configurations, and potentially chain this with a second vulnerability (CVE-2021-30462) to achieve full root compromise of the server [1].

Mitigation

The original VestaCP maintainer did not release a fix. Users are recommended to migrate to actively maintained forks such as myVestaCP or HestiaCP, which have already patched these vulnerabilities [1]. As of the publication date, no official patch is available, and the project is effectively unmaintained.