{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hestiacp--1.9.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-30007"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HestiaCP \u003c 1.9.5"],"_cs_severities":["high"],"_cs_tags":["vulnerability","command-injection","privilege-escalation","linux","hestiacp"],"_cs_type":"advisory","_cs_vendors":["HestiaCP"],"content_html":"\u003cp\u003eCVE-2025-30007 describes a critical authenticated OS command injection vulnerability affecting HestiaCP versions prior to 1.9.5. This flaw enables any low-privilege authenticated user of a HestiaCP instance to escalate their privileges to root and execute arbitrary commands on the underlying Linux operating system. The vulnerability originates from insufficient input validation within the \u003ccode\u003eis_dns_record_format_valid()\u003c/code\u003e function and subsequent unsafe \u003ccode\u003eeval\u003c/code\u003e-based parsing in \u003ccode\u003eupdate_domain_zone()\u003c/code\u003e. By injecting a specially crafted single-quote character into certain DNS record type fields during the creation or modification of a DNS record, an attacker can prematurely terminate a variable assignment string, allowing their malicious payload to be executed directly as root. This vulnerability poses a significant threat to the integrity and confidentiality of systems running affected HestiaCP installations, potentially leading to complete system compromise and data loss.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A low-privilege authenticated user gains access to the HestiaCP administration panel, typically through legitimate credentials or by compromising such credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInput Submission\u003c/strong\u003e: The authenticated user navigates to the DNS management section within the HestiaCP panel and attempts to create or modify a DNS record, specifically targeting a field where DNS record types are expected.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Injection\u003c/strong\u003e: The user crafts a malicious payload containing a single-quote character (\u003ccode\u003e'\u003c/code\u003e) and injects it into the vulnerable DNS record type field, designed to break out of expected string assignments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInput Validation Bypass\u003c/strong\u003e: The HestiaCP function \u003ccode\u003eis_dns_record_format_valid()\u003c/code\u003e fails to properly sanitize or validate the malicious input, allowing the injected single-quote character and the subsequent command payload to pass through.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnsafe Parsing\u003c/strong\u003e: The \u003ccode\u003eupdate_domain_zone()\u003c/code\u003e function processes the unvalidated input using an \u003ccode\u003eeval\u003c/code\u003e-based parsing mechanism. This unsafe evaluation interprets the injected malicious payload as executable code rather than a literal string.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRoot Command Execution\u003c/strong\u003e: HestiaCP executes the attacker's arbitrary commands directly on the underlying Linux host, inheriting root privileges due to the context of the HestiaCP process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: With root-level command execution, the attacker achieves full control over the host system, enabling them to install backdoors, exfiltrate sensitive data, deploy malware, or further pivot within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2025-30007 grants low-privilege authenticated users complete root access to the underlying HestiaCP server. This severe impact means an attacker can take full control of the operating system, including all hosted websites, databases, and sensitive configuration files. Potential consequences include unauthorized data exfiltration, installation of persistent backdoors, deployment of ransomware, or the use of the compromised server as a platform for further attacks. This could lead to significant financial losses, reputational damage, and regulatory penalties for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update HestiaCP to version 1.9.5 or later to patch CVE-2025-30007.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for HestiaCP administration interfaces for unusual authentication patterns or attempts from unknown IPs.\u003c/li\u003e\n\u003cli\u003eMonitor system process creation logs on HestiaCP servers for processes spawned by the HestiaCP user (e.g., \u003ccode\u003ewww-data\u003c/code\u003e, \u003ccode\u003enginx\u003c/code\u003e) that are not part of normal operations, especially those indicative of shell commands or reverse shells.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:20:53Z","date_published":"2026-07-10T19:20:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-hestiacp-os-command-injection/","summary":"An authenticated OS command injection vulnerability, CVE-2025-30007, in HestiaCP before version 1.9.5 allows low-privilege users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types, leading to full root code execution on the underlying host.","title":"HestiaCP Authenticated OS Command Injection via DNS Record Types (CVE-2025-30007)","url":"https://feed.craftedsignal.io/briefs/2026-07-hestiacp-os-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - HestiaCP \u003c 1.9.5","version":"https://jsonfeed.org/version/1.1"}