📄 Description (English)
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.
🤖 AI Executive Summary
CVE-2021-47871 is a critical arbitrary file write vulnerability in Hestia Control Panel 1.3.2 affecting authenticated users. Attackers can exploit the v-make-tmp-file API command to write malicious files (SSH keys, web shells) to arbitrary server locations, leading to complete system compromise. This vulnerability requires authentication but poses severe risk to hosting providers and organizations using Hestia for server management across Saudi Arabia.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 01:59
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi hosting providers, web development agencies, and government/private sector organizations using Hestia Control Panel for server management. High-risk sectors include: (1) Telecom providers (STC, Mobily, Zain) managing customer hosting infrastructure; (2) Government entities (NCA, CITC) using Hestia for internal server management; (3) Banking sector (SAMA-regulated institutions) if using Hestia for non-critical infrastructure; (4) Healthcare organizations managing patient data servers; (5) E-commerce platforms and digital service providers. Compromised servers could lead to data theft, service disruption, and regulatory violations under NCA ECC 2024 and SAMA CSF frameworks.
🏢 Affected Saudi Sectors
Hosting & Cloud Services
Telecommunications (STC, Mobily, Zain)
Government (NCA, CITC)
Banking & Financial Services
Healthcare
E-commerce & Digital Services
Web Development Agencies
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Hestia Control Panel 1.3.2 instances in your infrastructure using network scanning tools
2. Restrict API access to v-make-tmp-file command at firewall/WAF level immediately
3. Review authentication logs for suspicious API calls to index.php endpoint
4. Audit all files in /tmp and system directories for unauthorized SSH keys or web shells
PATCHING:
1. Upgrade Hestia Control Panel to version 1.3.3 or later immediately
2. Apply security patches from official Hestia repository
3. Verify patch installation by checking version in admin panel
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable API access via index.php endpoint using web server configuration
2. Implement IP whitelisting for API access
3. Enforce strong authentication (MFA) for all control panel users
4. Monitor file system changes in critical directories using AIDE/Tripwire
DETECTION:
1. Monitor logs for POST requests to index.php containing 'v-make-tmp-file'
2. Alert on file creation in /root/.ssh, /var/www, and system directories by web server user
3. Track unauthorized SSH key additions to authorized_keys files
4. Implement IDS signatures for arbitrary file write attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Hestia Control Panel 1.3.2 في البنية التحتية الخاصة بك باستخدام أدوات المسح
2. تقييد وصول API إلى أمر v-make-tmp-file على مستوى جدار الحماية فوراً
3. مراجعة سجلات المصادقة للاتصالات المريبة بـ API
4. تدقيق جميع الملفات في /tmp والمجلدات النظامية للبحث عن مفاتيح SSH أو أصداف ويب غير مصرح بها
التصحيح:
1. ترقية Hestia Control Panel إلى الإصدار 1.3.3 أو أحدث فوراً
2. تطبيق تصحيحات الأمان من مستودع Hestia الرسمي
3. التحقق من تثبيت التصحيح بفحص الإصدار في لوحة المسؤول
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل وصول API عبر نقطة نهاية index.php باستخدام إعدادات خادم الويب
2. تطبيق القائمة البيضاء للعناوين IP لوصول API
3. فرض المصادقة القوية (MFA) لجميع مستخدمي لوحة التحكم
4. مراقبة التغييرات في نظام الملفات في المجلدات الحرجة باستخدام AIDE/Tripwire
الكشف:
1. مراقبة السجلات لطلبات POST إلى index.php تحتوي على 'v-make-tmp-file'
2. التنبيه عند إنشاء ملفات في /root/.ssh و /var/www والمجلدات النظامية
3. تتبع إضافات مفاتيح SSH غير المصرح بها إلى ملفات authorized_keys
4. تطبيق توقيعات IDS لمحاولات الكتابة التعسفية للملفات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.8.1.1 - User access management and authentication
A.8.2.1 - User access provisioning and de-provisioning
A.12.4.1 - Event logging and monitoring
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
Governance & Risk Management - Vulnerability Management
Information & Cyber Security - Access Control
Information & Cyber Security - Monitoring & Detection
Operational Resilience - Incident Response
🟡 ISO 27001:2022
A.5.1 - Management direction for information security
A.8.1 - User endpoint devices
A.8.2 - Privileged access rights
A.12.6 - Management of technical vulnerabilities
A.13.1 - Network security perimeter
🟣 PCI DSS v4.0
Requirement 2.1 - Change default passwords
Requirement 6.2 - Security patches and updates
Requirement 8.1 - User access control
Requirement 10.2 - Logging and monitoring
🔗 References & Sources 4