{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cyberpanel/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2021-47949"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["CyberPanel"],"_cs_severities":["high"],"_cs_tags":["cve","command execution","symlink","linux"],"_cs_type":"advisory","_cs_vendors":["CyberPanel"],"content_html":"\u003cp\u003eCyberPanel 2.1 is susceptible to a command execution vulnerability (CVE-2021-47949) that allows authenticated attackers to perform symlink attacks through the filemanager controller endpoint. This vulnerability is exploited by manipulating the \u003ccode\u003ecompleteStartingPath\u003c/code\u003e parameter in POST requests to \u003ccode\u003e/filemanager/controller\u003c/code\u003e. Successful exploitation allows attackers to read arbitrary files, including sensitive data such as database credentials, and execute arbitrary shell commands through the \u003ccode\u003e/websites/fetchFolderDetails\u003c/code\u003e endpoint. This poses a significant risk to organizations using vulnerable CyberPanel instances, potentially leading to data breaches, system compromise, and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the CyberPanel web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003e/filemanager/controller\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a manipulated \u003ccode\u003ecompleteStartingPath\u003c/code\u003e parameter, designed to create a symbolic link to a sensitive file (e.g., \u003ccode\u003e/etc/shadow\u003c/code\u003e or database configuration files).\u003c/li\u003e\n\u003cli\u003eCyberPanel creates the symlink based on the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to \u003ccode\u003e/websites/fetchFolderDetails\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis request leverages the previously created symlink to access the target file.\u003c/li\u003e\n\u003cli\u003eCyberPanel reads the contents of the file pointed to by the symlink and returns it to the attacker, or executes a command.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information, or executes arbitrary commands on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2021-47949) allows attackers to read arbitrary files on the server, potentially gaining access to sensitive data such as database credentials, configuration files, and private keys. Furthermore, the attacker can execute arbitrary shell commands, leading to complete system compromise, data exfiltration, and denial-of-service. While the number of victims is not specified, any CyberPanel 2.1 instance exposed to authenticated attackers is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CyberPanel CVE-2021-47949 Exploitation Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts based on HTTP POST requests to the \u003ccode\u003e/filemanager/controller\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CyberPanel CVE-2021-47949 fetchFolderDetails\u0026rdquo; to your SIEM to identify potential exploitation attempts based on HTTP requests to the \u003ccode\u003e/websites/fetchFolderDetails\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/filemanager/controller\u003c/code\u003e containing unusual \u003ccode\u003ecompleteStartingPath\u003c/code\u003e parameters, as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:21:50Z","date_published":"2026-05-10T13:21:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47949-cyberpanel-rce/","summary":"CyberPanel version 2.1 is vulnerable to command execution (CVE-2021-47949) where an authenticated attacker can exploit symlink attacks via the filemanager controller endpoint by manipulating the completeStartingPath parameter in POST requests, leading to sensitive file access and arbitrary shell command execution.","title":"CyberPanel 2.1 Authenticated Remote Command Execution via Symlink Exploitation (CVE-2021-47949)","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2021-47949-cyberpanel-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — CyberPanel","version":"https://jsonfeed.org/version/1.1"}