📄 Description (English)
ZesleCP 3.1.9 contains an authenticated remote code execution vulnerability that allows attackers to create malicious FTP accounts with shell injection payloads. Attackers can exploit the FTP account creation endpoint by injecting a reverse shell command that establishes a network connection to a specified listening host.
🤖 AI Executive Summary
ZesleCP 3.1.9 contains a critical authenticated remote code execution vulnerability (CVE-2021-47794) allowing attackers to inject shell commands through FTP account creation endpoints. With a CVSS score of 8.8 and publicly available exploits, this poses an immediate threat to organizations using ZesleCP for hosting control and management. The vulnerability requires authentication but enables full system compromise through reverse shell execution.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 01:58
🇸🇦 Saudi Arabia Impact Assessment
Saudi hosting providers, web agencies, and government entities using ZesleCP for server management face significant risk. Telecommunications sector (STC, Mobily) and financial institutions managing their own hosting infrastructure are particularly vulnerable. Government agencies under NCA oversight and ARAMCO's IT operations could be compromised if ZesleCP is deployed. The vulnerability enables attackers to establish persistent access, exfiltrate sensitive data, and pivot to connected systems within critical infrastructure networks.
🏢 Affected Saudi Sectors
Hosting and Web Services
Telecommunications (STC, Mobily, Zain)
Banking and Financial Services
Government Agencies
Energy Sector (ARAMCO subsidiaries)
Healthcare Providers
E-commerce Platforms
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all ZesleCP installations in your environment and document version numbers
2. Restrict FTP account creation functionality to trusted administrators only
3. Implement network segmentation to isolate ZesleCP management interfaces
4. Monitor FTP account creation logs for suspicious activity
5. Review all FTP accounts created in the past 90 days for unauthorized entries
PATCHING:
1. Upgrade ZesleCP to version 3.1.10 or later immediately
2. Apply security patches from official ZesleCP repository
3. Verify patch installation by checking version in admin panel
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable FTP account creation feature via configuration files
2. Implement Web Application Firewall (WAF) rules to block FTP creation endpoints
3. Enforce multi-factor authentication for ZesleCP admin access
4. Implement IP whitelisting for ZesleCP management interface
DETECTION:
1. Monitor for POST requests to /ftp/create or similar endpoints with shell metacharacters (|, ;, &, $, `, etc.)
2. Alert on FTP accounts with usernames containing command injection patterns
3. Monitor outbound connections from ZesleCP server to unusual ports
4. Review system logs for unexpected process execution from FTP daemon
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات ZesleCP في بيئتك وتوثيق أرقام الإصدارات
2. تقييد وظيفة إنشاء حسابات FTP للمسؤولين الموثوقين فقط
3. تنفيذ تقسيم الشبكة لعزل واجهات إدارة ZesleCP
4. مراقبة سجلات إنشاء حسابات FTP للنشاط المريب
5. مراجعة جميع حسابات FTP التي تم إنشاؤها في آخر 90 يوماً للبحث عن الإدخالات غير المصرح بها
تطبيق التصحيحات:
1. ترقية ZesleCP إلى الإصدار 3.1.10 أو أحدث فوراً
2. تطبيق تصحيحات الأمان من مستودع ZesleCP الرسمي
3. التحقق من تثبيت التصحيح بفحص الإصدار في لوحة المسؤول
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل ميزة إنشاء حسابات FTP عبر ملفات التكوين
2. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر نقاط نهاية إنشاء FTP
3. فرض المصادقة متعددة العوامل لوصول مسؤول ZesleCP
4. تنفيذ القائمة البيضاء للعناوين IP لواجهة إدارة ZesleCP
الكشف:
1. مراقبة طلبات POST إلى نقاط نهاية إنشاء FTP التي تحتوي على أحرف shell (|، ;، &، $، `، إلخ)
2. التنبيه على حسابات FTP بأسماء مستخدمين تحتوي على أنماط حقن الأوامر
3. مراقبة الاتصالات الصادرة من خادم ZesleCP إلى منافذ غير عادية
4. مراجعة سجلات النظام لتنفيذ العمليات غير المتوقعة من daemon FTP
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.3.1 - Configuration management
A.12.2.1 - Change management procedures
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.IP-12 - Software development and acquisition security
DE.CM-8 - Vulnerability scans and assessments
RS.MI-2 - Incident response and containment
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.12.3.1 - Configuration management
A.12.2.1 - Change management
🟣 PCI DSS v4.0.1
6.2 - Security patches and updates
6.5.1 - Injection flaws prevention
11.2 - Vulnerability scanning
🔗 References & Sources 4
🔗
https://www.exploit-db.com/exploits/50233
disclosure@vulncheck.com
Exploit
Third Party Advisory
🔗
https://www.vulncheck.com/advisories/zeslecp-remote-code-execution-rce-authenticated
disclosure@vulncheck.com
Third Party Advisory
🔗
https://www.youtube.com/watch?v=5lTDTEBVq-0
disclosure@vulncheck.com
Exploit
🔗
https://zeslecp.com/
disclosure@vulncheck.com
Product
📦 Affected Products / CPE 1 entries
zesle:zeslecp