CVE-2021-47949

Vulnerability

Overview

CVE-2021-47949 is an authenticated remote code execution vulnerability in CyberPanel version 2.1. The root cause lies in insufficient validation of the completeStartingPath parameter in POST requests to the /filemanager/controller endpoint. Attackers can manipulate this parameter to create symbolic links pointing to arbitrary files on the server, such as database credentials or system files [2][4].

Exploitation

Details

An attacker with valid CyberPanel credentials can exploit this flaw by sending a crafted POST request to /filemanager/controller with a malicious completeStartingPath value that creates a symlink. Subsequently, the attacker leverages the /websites/fetchFolderDetails endpoint to execute arbitrary shell commands through the symlink, effectively achieving remote code execution [2]. No additional privileges beyond a standard user account are required, making the attack surface broad for any authenticated user.

Impact

Successful exploitation allows an attacker to read sensitive files (e.g., database credentials, configuration files) and execute arbitrary operating system commands with the privileges of the web server. This can lead to full compromise of the CyberPanel server, including data exfiltration, lateral movement, and potential takeover of hosted websites [4].

Mitigation

The vulnerability affects CyberPanel version 2.1 and earlier. The CyberPanel project has addressed this issue in subsequent releases; users are strongly advised to upgrade to the latest version. Public exploit code is available [2], increasing the risk of active exploitation. No workarounds are documented, so patching is the recommended course of action.