{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/hestiacp-1.9.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-43633"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HestiaCP 1.9.0","HestiaCP 1.9.1","HestiaCP 1.9.2","HestiaCP 1.9.3","HestiaCP 1.9.4"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","cve"],"_cs_type":"threat","_cs_vendors":["HestiaCP"],"content_html":"\u003cp\u003eHestiaCP versions 1.9.0, 1.9.1, 1.9.2, 1.9.3, and 1.9.4 are affected by a critical deserialization vulnerability (CVE-2026-43633) within the web terminal component. This vulnerability arises from an inconsistency in session handling between PHP and Node.js. Specifically, the PHP session handler processes HTTP headers containing crafted data, but the Node.js web terminal component incorrectly deserializes these values, treating them as trusted session data. This discrepancy enables unauthenticated remote attackers to execute arbitrary code at the root level on vulnerable systems where the web terminal feature is enabled. The attacker exploits the session format mismatch to inject malicious commands through HTTP headers, leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the HestiaCP server.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes malicious serialized data within the HTTP headers, targeting session variables used by the web terminal component.\u003c/li\u003e\n\u003cli\u003eThe PHP session handler processes and stores the malicious data in the session.\u003c/li\u003e\n\u003cli\u003eThe Node.js web terminal component deserializes the session data. Due to the format mismatch between PHP\u0026rsquo;s serialization and Node.js\u0026rsquo;s deserialization, the injected malicious data is interpreted as code.\u003c/li\u003e\n\u003cli\u003eThe deserialized code is executed within the context of the Node.js web terminal, granting the attacker control.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to escalate privileges to root.\u003c/li\u003e\n\u003cli\u003eWith root privileges, the attacker can install malware, create new user accounts, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent access and control over the compromised HestiaCP server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated remote attackers to gain complete control over the HestiaCP server. This can lead to data breaches, system downtime, and the potential for further attacks on other systems within the network. Given the CVSS v3.1 base score of 10.0, this is a highly critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a version of HestiaCP beyond 1.9.4 to remediate CVE-2026-43633.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HestiaCP CVE-2026-43633 Attack\u003c/code\u003e to identify exploitation attempts based on suspicious HTTP headers in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns in HTTP headers, specifically those related to session management.\u003c/li\u003e\n\u003cli\u003eDisable the web terminal feature if it is not actively used to reduce the attack surface until patches can be applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:17:43Z","date_published":"2026-05-19T14:17:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-deserialization/","summary":"HestiaCP versions 1.9.0 through 1.9.4 are vulnerable to unauthenticated remote code execution due to a deserialization flaw in the web terminal component (CVE-2026-43633), stemming from a session format mismatch between PHP and Node.js, allowing attackers to inject malicious data via HTTP headers.","title":"HestiaCP Deserialization Vulnerability (CVE-2026-43633)","url":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — HestiaCP 1.9.4","version":"https://jsonfeed.org/version/1.1"}