cbcvebase.
CVE-2013-10053
published 2025-08-01

CVE-2013-10053: A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is…

PriorityP264high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.03%
59.5th percentile
A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
zpanel_projectzpanel<= 10.0.0.2

Detection & IOCsextracted from sources · hover to see the quote

versionZPanel 10.0.0.2
commandsystem() call invoking htpasswd binary with unsanitized inHTUsername field
  • Monitor HTTP POST requests to ZPanel's htpasswd module endpoint for shell metacharacters (e.g., ;, |, &&, $(), backticks) in the inHTUsername parameter field.
  • Alert on ZPanel web process spawning unexpected child processes (e.g., /bin/sh, bash, curl, wget) as a result of the htpasswd system() call being abused.
  • Flag authenticated sessions from low-privilege ZPanel accounts (Users/Resellers/Administrators) that interact with the htpasswd/.htaccess creation functionality, as exploitation only requires a valid account in any default group.
  • The default 'zadmin' account is a known target/source for exploitation attempts; monitor for login activity or .htaccess creation actions under this account.
  • ·Exploitation requires a valid authenticated ZPanel account; unauthenticated exploitation is not possible. Any account in the default groups is sufficient — no admin privileges needed.
  • ·The 'zadmin' default account exists on all ZPanel 10.0.0.2 installations but uses a randomly generated password, so it cannot be assumed to be a trivial entry point without credential access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.