الثغرات ›

CVE-2026-43634

مرتفع

CWE-348 — نوع الضعف

                    نُشر: May 19, 2026                      ·  آخر تحديث: May 26, 2026                      ·  المصدر: NVD                

CVSS v3

7.5

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

🤖 ملخص AI

HestiaCP versions 1.2.0-1.9.4 contain a critical IP spoofing vulnerability (CVE-2026-43634) allowing unauthenticated attackers to bypass authentication controls by manipulating the CF-Connecting-IP header without Cloudflare origin verification. This enables circumvention of brute-force protections, IP allowlists, and audit log poisoning. With no patch currently available and no exploit publicly disclosed, organizations must implement immediate compensating controls to prevent authentication bypass attacks.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: May 21, 2026 12:14

🇸🇦 التأثير على المملكة العربية السعودية

Saudi organizations using HestiaCP for hosting control panels face significant risk, particularly: (1) Government agencies and NCA-regulated entities managing critical infrastructure dashboards; (2) Banking sector institutions using HestiaCP for administrative interfaces; (3) Telecom providers (STC, Mobily) managing network infrastructure; (4) Healthcare organizations (MOH) hosting patient management systems; (5) Energy sector (ARAMCO, SEC) managing operational technology interfaces. The vulnerability enables credential stuffing attacks, unauthorized administrative access, and audit log manipulation—critical for compliance with SAMA CSF and NCA ECC 2024 requirements.

🏢 القطاعات السعودية المتأثرة

Government & Public Administration Banking & Financial Services Telecommunications Healthcare Energy & Utilities Hosting & Cloud Services Critical Infrastructure

🎯 تقنيات MITRE ATT&CK

T1078 - Valid Accounts (authentication bypass) T1110 - Brute Force (fail2ban circumvention) T1562.008 - Impair Defenses: Disable or Modify Logs (audit log poisoning) T1040 - Traffic Redirection (IP spoofing) T1021.001 - Remote Services: Remote Desktop Protocol (administrative access) T1190 - Exploit Public-Facing Application (unauthenticated exploitation)

⚖️ درجة المخاطر السعودية (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Disable CF-Connecting-IP header processing in HestiaCP configuration if not using Cloudflare CDN

2. Implement strict IP allowlisting at firewall/WAF level for administrative interfaces

3. Enable multi-factor authentication (MFA) on all HestiaCP user accounts immediately

4. Review and reset authentication audit logs for suspicious IP patterns

5. Implement rate limiting on login endpoints (max 5 attempts per 15 minutes per IP)



COMPENSATING CONTROLS:

6. Deploy WAF rules to validate CF-Connecting-IP header only from Cloudflare ASN ranges (103.21.244.0/22, 103.22.200.0/22, etc.)

7. Configure fail2ban to monitor actual source IP (not header-based) using iptables logging

8. Implement reverse proxy (nginx/Apache) to strip untrusted headers before HestiaCP processing

9. Enable detailed logging of all authentication attempts with source IP verification

10. Monitor for multiple failed login attempts from different spoofed IPs



DETECTION RULES:

- Alert on CF-Connecting-IP header values not matching actual source IP

- Flag login attempts from IPs outside organization's known ranges

- Monitor for rapid authentication failures followed by successful login from different IP

- Track audit log entries with mismatched source IPs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تعطيل معالجة رأس CF-Connecting-IP في تكوين HestiaCP إذا لم تكن تستخدم Cloudflare CDN

2. تنفيذ قائمة IP مسموحة صارمة على مستوى جدار الحماية/WAF للواجهات الإدارية

3. تفعيل المصادقة متعددة العوامل (MFA) على جميع حسابات مستخدمي HestiaCP فوراً

4. مراجعة وإعادة تعيين سجلات تدقيق المصادقة للأنماط المريبة

5. تنفيذ تحديد معدل على نقاط نهاية تسجيل الدخول (5 محاولات كحد أقصى لكل 15 دقيقة لكل IP)



الضوابط التعويضية:

6. نشر قواعد WAF للتحقق من رأس CF-Connecting-IP فقط من نطاقات Cloudflare ASN

7. تكوين fail2ban لمراقبة IP المصدر الفعلي باستخدام تسجيل iptables

8. تنفيذ خادم وكيل عكسي لحذف الرؤوس غير الموثوقة قبل معالجة HestiaCP

9. تفعيل تسجيل مفصل لجميع محاولات المصادقة مع التحقق من IP المصدر

10. مراقبة محاولات تسجيل دخول متعددة الفشل من عناوين IP مختلفة مزيفة

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policy (authentication bypass risk) ECC 2024 A.8.2.1 - User Registration and Access Rights (IP spoofing circumvents access controls) ECC 2024 A.12.4.1 - Event Logging (audit log poisoning) ECC 2024 A.12.4.3 - Protection of Log Information (log integrity compromise)

🔵 SAMA CSF

SAMA CSF ID.AM-1 - Asset Management (HestiaCP infrastructure inventory) SAMA CSF PR.AC-1 - Access Control Policy (authentication mechanism failure) SAMA CSF PR.AC-2 - Physical and Logical Access (IP-based access controls bypassed) SAMA CSF DE.AE-1 - Anomalies and Events (suspicious authentication patterns) SAMA CSF DE.CM-1 - Detection Processes (monitoring for IP spoofing)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.2 - Information Security Policies (access control policy) ISO 27001:2022 A.8.2 - User Access Management (authentication controls) ISO 27001:2022 A.8.3 - User Responsibilities (password/MFA enforcement) ISO 27001:2022 A.12.4 - Logging (audit trail integrity)

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Change default passwords PCI DSS 6.5.10 - Broken authentication PCI DSS 8.1 - User identification and authentication PCI DSS 10.2 - Implement automated audit trails

🔗 المراجع والمصادر 5

🔗

https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88

disclosure@vulncheck.com

🔗

https://github.com/hestiacp/hestiacp/issues/5229

disclosure@vulncheck.com

🔗

https://github.com/hestiacp/hestiacp/pull/5273

disclosure@vulncheck.com

🔗

https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2...

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header

disclosure@vulncheck.com

📊 CVSS Score

7.5

/ 10.0 — مرتفع

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityN — None / Network

📋 حقائق سريعة

الخطورة مرتفع

CVSS Score7.5

CWECWE-348

EPSS0.05%

اختراق متاح لا

تصحيح متاح ✗ لا

تاريخ النشر 2026-05-19

المصدر nvd

المشاهدات 1

🇸🇦 درجة المخاطر السعودية

8.2

/ 10.0 — مخاطر السعودية

أولوية: CRITICAL

🏷️ الوسوم

CWE-348

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-43634

عرّفنا بنفسك

تسجيل الدخول مطلوب