Vesta Control Panel

Vesta Control Panel (VestaCP) is a free and open-source web hosting control panel designed to simplify the management of domains, web servers, databases, mail, and DNS services. It provides a lightweight interface for system administrators to configure and maintain Linux-based servers, offering functionality similar to commercial hosting panels but with reduced complexity and overhead. VestaCP is often deployed in small to medium hosting environments where ease of management and minimal resource usage are prioritized.

Authenticated RCE

VestaCP through version 0.9.8-26 is affected by a command injection vulnerability (CVE-2020-10808) due to improper handling of user-controlled input in the backup listing endpoint under schedule/backup. An attacker with the ability to create or manipulate filenames on the server can exploit this weakness to inject arbitrary shell commands. A working PoC is available:

python3 vesta-rce-exploit.py https://192.168.1.100:8083 admin password123