cbcvebase.
CVE-2020-10808
published 2020-03-22

CVE-2020-10808: Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a…

PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
77.26%
99.5th percentile
Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.

Affected

1 ranges
VendorProductVersion rangeFixed in
vestacpvesta_control_panel<= 0.9.8-26

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/vestacp_exec.rb
pathschedule/backup
processv-list-user-backups
  • Monitor for filenames on the server containing shell metacharacters (e.g., single quotes, semicolons, backticks) appended to '.bash_logout', which is the demonstrated exploitation technique for injecting commands via the backup listing endpoint.
  • Alert on authenticated HTTP requests to the schedule/backup endpoint in VestaCP (versions through 0.9.8-26) that result in unexpected process execution or privilege escalation to root.
  • Detect execution of the v-list-user-backups bash script with anomalous arguments or spawning unexpected child processes, which may indicate active exploitation for RCE as root.
  • Monitor FTP sessions to VestaCP servers for file rename operations targeting backup-related filenames, especially renames that introduce shell metacharacters into filenames.
  • ·Exploitation requires the attacker to be authenticated to VestaCP and also able to create or rename a crafted filename on the server (e.g., via FTP access), meaning this is not an unauthenticated/remote-only attack vector.
  • ·The vulnerability affects VestaCP through version 0.9.8-26 only; detections and mitigations should be scoped to this version range.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.