<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pheditor (&gt;= 2.0.1, &lt; 2.0.6) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pheditor--2.0.1--2.0.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:13:37 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pheditor--2.0.1--2.0.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>Pheditor Hardcoded Admin Password Leads to Remote Code Execution (CVE-2026-55579)</title><link>https://feed.craftedsignal.io/briefs/2026-07-pheditor-hardcoded-admin-password/</link><pubDate>Thu, 16 Jul 2026 20:13:37 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pheditor-hardcoded-admin-password/</guid><description>Pheditor contains a critical vulnerability (CVE-2026-55579) where a hardcoded default password 'admin' with no forced change mechanism upon first login allows an unauthenticated attacker to gain full administrative access, enabling arbitrary file read/write and remote code execution through the application's terminal feature, leading to complete server compromise.</description><content:encoded><![CDATA[<p>Pheditor, a web-based file editor, is affected by a critical vulnerability, CVE-2026-55579, stemming from a hardcoded default password. The application ships with a default administrator password &quot;admin,&quot; which is stored as an unsalted SHA-512 hash in the <code>pheditor.php</code> source file. There is no enforced mechanism to prompt a password change upon initial login, nor are there any lockout policies for incorrect attempts. This design flaw allows any unauthenticated attacker to bypass authentication by using the well-known default credentials. Upon successful login, the attacker gains full administrative control over the application's features, including file upload capabilities, arbitrary file read/write, and a terminal for remote code execution. This directly leads to server compromise, enabling data exfiltration, service disruption, and the establishment of persistent backdoors. All versions of Pheditor are affected.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a Pheditor instance exposed to the internet.</li>
<li>The attacker attempts to authenticate to the Pheditor web interface using the publicly known default password &quot;admin.&quot;</li>
<li>Pheditor accepts the default credentials, grants the attacker an authenticated session, and sets a session cookie.</li>
<li>The attacker loads the Pheditor interface, extracts the CSRF token from the HTML source, and gains full administrative control over the application's features.</li>
<li>Leveraging the authenticated session and CSRF token, the attacker accesses the built-in terminal feature.</li>
<li>The attacker executes arbitrary commands on the underlying server via the terminal, achieving remote code execution.</li>
<li>The attacker proceeds with further actions such as arbitrary file upload, reading sensitive files, modifying application code, or deleting directories, leading to full server compromise and data impact.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The vulnerability (CVE-2026-55579, CWE-798) grants an unauthenticated attacker full administrator access to the Pheditor application if default credentials are in use. This leads to high impact across confidentiality, integrity, and availability. Attackers can read any files accessible by the web server process, potentially leading to sensitive data exposure. Integrity is compromised through the ability to write/delete files, upload webshells, or modify application code. Furthermore, the terminal feature allows for arbitrary command execution, providing complete control over the underlying server. This could lead to full system compromise, data exfiltration, defacement, or denial of service through deletion of critical files and directories.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Immediately change the default 'admin' password</strong> on all Pheditor instances to a strong, unique password.</li>
<li><strong>Implement a robust password policy</strong> that forces users to change default passwords upon first login.</li>
<li><strong>Ensure Pheditor instances are not exposed to the public internet</strong> unless absolutely necessary, and protect them behind a firewall or VPN.</li>
<li><strong>Review web server access logs</strong> for POST requests to <code>/pheditor.php</code> originating from unknown IP addresses, especially if <code>pheditor_password=admin</code> was used in the request body.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>hardcoded-credentials</category><category>rce</category><category>web-application</category><category>cve</category><category>web-vulnerability</category><category>command-injection</category><category>php</category></item></channel></rss>