CVE-2013-10053
published 2025-08-01CVE-2013-10053: A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is…
PriorityP264high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.03%
59.5th percentile
A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zpanel_project | zpanel | <= 10.0.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to ZPanel's htpasswd module endpoint for shell metacharacters (e.g., ;, |, &&, $(), backticks) in the inHTUsername parameter field. ↗
- →Alert on ZPanel web process spawning unexpected child processes (e.g., /bin/sh, bash, curl, wget) as a result of the htpasswd system() call being abused. ↗
- →Flag authenticated sessions from low-privilege ZPanel accounts (Users/Resellers/Administrators) that interact with the htpasswd/.htaccess creation functionality, as exploitation only requires a valid account in any default group. ↗
- →The default 'zadmin' account is a known target/source for exploitation attempts; monitor for login activity or .htaccess creation actions under this account. ↗
- ·Exploitation requires a valid authenticated ZPanel account; unauthenticated exploitation is not possible. Any account in the default groups is sufficient — no admin privileges needed. ↗
- ·The 'zadmin' default account exists on all ZPanel 10.0.0.2 installations but uses a randomly generated password, so it cannot be assumed to be a trivial entry point without credential access. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/zpanel/zpanelxhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rbhttps://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-executionhttps://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2
2025-08-01
Published