📄 Description (English)
CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint.
🤖 AI Executive Summary
CyberPanel 2.1 contains a critical authenticated remote code execution vulnerability (CVE-2021-47949) exploiting symlink attacks in the filemanager controller. Attackers with valid credentials can manipulate file paths to read sensitive files including database credentials and execute arbitrary shell commands. This poses significant risk to Saudi hosting providers and web hosting companies managing customer websites.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 13, 2026 22:41
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi web hosting providers, data center operators, and government agencies using CyberPanel for website management. Sectors at risk include: Telecom (STC, Mobily) hosting divisions, Banking sector web infrastructure, Government agencies (NCA, CITC) managing web portals, E-commerce platforms, and Educational institutions. Compromised credentials could lead to lateral movement into customer networks and data exfiltration of sensitive Saudi business information.
🏢 Affected Saudi Sectors
Web Hosting & Data Centers
Telecommunications (STC, Mobily)
Banking & Financial Services
Government & Public Sector
E-commerce
Education
Healthcare
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all CyberPanel 2.1 instances in your environment and isolate from production if possible
2. Review access logs for /filemanager/controller endpoint for suspicious POST requests with completeStartingPath parameters
3. Audit database credentials and rotate all passwords immediately
4. Check for unauthorized symbolic links in website directories
COMPENSATING CONTROLS (No patch available):
1. Implement strict network access controls - restrict filemanager endpoint to trusted IPs only
2. Disable filemanager functionality if not actively used
3. Implement Web Application Firewall (WAF) rules to block POST requests to /filemanager/controller with suspicious path traversal patterns
4. Monitor for symlink creation attempts in /websites/ directories
5. Implement file integrity monitoring on critical configuration files
6. Enforce strong authentication and disable default credentials
7. Consider upgrading to alternative control panel solutions (cPanel, Plesk) if available
DETECTION RULES:
- Alert on POST requests to /filemanager/controller containing '../' or symlink creation patterns
- Monitor /websites/fetchFolderDetails for unusual parameter values
- Track file access to database configuration files and credentials
- Log all shell command executions from web server processes
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ CyberPanel 2.1 في بيئتك وعزلها عن الإنتاج إن أمكن
2. مراجعة سجلات الوصول لنقطة نهاية /filemanager/controller للطلبات المريبة
3. تدقيق بيانات اعتماد قاعدة البيانات وتدوير جميع كلمات المرور فوراً
4. التحقق من الروابط الرمزية غير المصرح بها في مجلدات الموقع
الضوابط التعويضية (لا توجد تصحيحات متاحة):
1. تطبيق ضوابط وصول شبكة صارمة - تقييد نقطة نهاية مدير الملفات لعناوين IP موثوقة فقط
2. تعطيل وظيفة مدير الملفات إذا لم تكن قيد الاستخدام
3. تطبيق قواعد جدار حماية تطبيقات الويب لحظر طلبات POST المريبة
4. مراقبة محاولات إنشاء الروابط الرمزية
5. تطبيق مراقبة سلامة الملفات على الملفات الحساسة
6. فرض المصادقة القوية وتعطيل بيانات الاعتماد الافتراضية
7. النظر في الترقية إلى حلول لوحة تحكم بديلة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies
ECC 2024 A.5.2.1 - User Registration and Access Rights Management
ECC 2024 A.5.3.1 - Password Management
ECC 2024 A.12.2.1 - Restrictions on Software Installation
ECC 2024 A.12.4.1 - Event Logging
ECC 2024 A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software Inventory
SAMA CSF PR.AC-1 - Access Control
SAMA CSF PR.AC-4 - Access Rights Management
SAMA CSF DE.CM-1 - Network Monitoring
SAMA CSF DE.AE-1 - Anomalies and Events Detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.5.16 - Identification and Authentication
ISO 27001:2022 A.5.17 - Access Rights
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.22 - Monitoring
ISO 27001:2022 A.8.23 - Web Filtering
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Passwords
PCI DSS 6.2 - Security Patches
PCI DSS 7.1 - Access Control
PCI DSS 10.2 - User Access Logging
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://cyberpanel.net/
disclosure@vulncheck.com
https://github.com/usmannasir/cyberpanel
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/50230
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/cyberpanel-authenticated-remote-code-execution-via...
disclosure@vulncheck.com