{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hestiacp-1.2.0---1.9.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-43634"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HestiaCP (1.2.0 - 1.9.4)"],"_cs_severities":["high"],"_cs_tags":["ip-spoofing","authentication-bypass","cve"],"_cs_type":"advisory","_cs_vendors":["HestiaCP"],"content_html":"\u003cp\u003eHestiaCP, a popular open-source hosting control panel, is vulnerable to IP address spoofing in versions 1.2.0 through 1.9.4. This vulnerability, identified as CVE-2026-43634, enables unauthenticated remote attackers to forge the source IP address of HTTP requests by injecting an arbitrary IP address into the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e HTTP header. This header is intended to be used when HestiaCP is deployed behind Cloudflare, but the application fails to validate that the request indeed originated from Cloudflare\u0026rsquo;s network. By exploiting this flaw, attackers can bypass security measures like fail2ban\u0026rsquo;s brute-force protection, circumvent per-user IP address allowlists, and manipulate authentication audit logs. The lack of proper validation on this header presents a significant risk to the integrity and security of HestiaCP installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable HestiaCP instance running versions 1.2.0 through 1.9.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an authentication endpoint (e.g., login page).\u003c/li\u003e\n\u003cli\u003eThe attacker adds the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header to the HTTP request, setting its value to a desired, spoofed IP address (e.g., a trusted IP or a local address).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the vulnerable HestiaCP server.\u003c/li\u003e\n\u003cli\u003eHestiaCP incorrectly uses the spoofed IP address from the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header for authentication checks and logging.\u003c/li\u003e\n\u003cli\u003eThe attacker circumvents fail2ban\u0026rsquo;s brute-force protection, as the repeated failed login attempts appear to originate from the spoofed IP address, which may be whitelisted or otherwise ignored by fail2ban.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses per-user IP address allowlists if the spoofed IP matches an allowed IP address for the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates or performs privileged actions, while the authentication logs record the spoofed IP address, hindering accurate auditing and incident response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass critical security controls, potentially leading to unauthorized access to sensitive data and system resources. By circumventing fail2ban, attackers can perform brute-force attacks without being blocked. Bypassing IP address allowlists grants unauthorized access to restricted areas of the control panel. Furthermore, by poisoning authentication logs, attackers can cover their tracks and complicate incident investigations. This could affect any HestiaCP instance running versions 1.2.0 to 1.9.4, potentially impacting thousands of servers and their hosted websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect HestiaCP IP Spoofing via CF-Connecting-IP Header\u0026rdquo; to identify attempts to exploit CVE-2026-43634 in your environment.\u003c/li\u003e\n\u003cli\u003eApply available patches or upgrade HestiaCP instances to a version beyond 1.9.4 to remediate CVE-2026-43634.\u003c/li\u003e\n\u003cli\u003eInspect web server access logs for HTTP requests containing the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header and investigate any anomalies, correlating with authentication failures or suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to ensure that the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header only contains IP addresses originating from legitimate Cloudflare infrastructure, based on their published IP ranges.\u003c/li\u003e\n\u003cli\u003eUse the provided information on affected products and versions to prioritize patching efforts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:19:10Z","date_published":"2026-05-19T15:19:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-ip-spoofing/","summary":"HestiaCP versions 1.2.0 through 1.9.4 are vulnerable to IP spoofing (CVE-2026-43634), allowing unauthenticated remote attackers to bypass authentication security controls by manipulating the CF-Connecting-IP HTTP header to circumvent fail2ban, bypass IP allowlists, and poison authentication logs.","title":"HestiaCP IP Spoofing Vulnerability (CVE-2026-43634)","url":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-ip-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed — HestiaCP (1.2.0 - 1.9.4)","version":"https://jsonfeed.org/version/1.1"}