Ajenti — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/ajenti/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 03 Apr 2026 03:57:43 +0000Ajenti Authorization Bypass Vulnerability (CVE-2026-35175)https://feed.craftedsignal.io/briefs/2026-04-ajenti-auth-bypass/Fri, 03 Apr 2026 03:57:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ajenti-auth-bypass/Ajenti versions before 2.2.15 contain an authorization bypass vulnerability that allows authenticated non-superuser users to install custom packages, potentially leading to privilege escalation and system compromise.Ajenti is a web-based system administration panel. Prior to version 2.2.15, a flaw exists in the auth_users authentication plugin that permits authenticated users lacking superuser privileges to install custom packages. This vulnerability, identified as CVE-2026-35175, allows a low-privileged user to bypass intended authorization checks, potentially escalating their privileges and compromising the entire system. An attacker could leverage this vulnerability to install malicious packages, execute arbitrary code with elevated privileges, and gain unauthorized access to sensitive data or system functionalities. Organizations using vulnerable versions of Ajenti are at risk of internal privilege escalation attacks.

Attack Chain

  1. An attacker gains initial access to the Ajenti web panel with a valid, non-superuser account using the auth_users plugin.
  2. The attacker navigates to the custom package installation feature within the Ajenti web interface.
  3. The attacker uploads a malicious custom package designed to execute arbitrary commands or install backdoors.
  4. Ajenti fails to properly validate the user’s privileges before initiating the package installation process.
  5. The malicious package is installed with the privileges of the Ajenti process, which may include elevated permissions.
  6. The malicious package executes its payload, potentially installing a reverse shell, creating new administrative accounts, or modifying critical system files.
  7. The attacker leverages the installed backdoor or elevated privileges to gain persistent access to the system.

Impact

Successful exploitation of this vulnerability allows an authenticated, non-superuser user to execute arbitrary code with elevated privileges. This can lead to full system compromise, data theft, and disruption of services. While the precise number of affected installations is unknown, any organization running Ajenti versions prior to 2.2.15 with the auth_users authentication plugin enabled is vulnerable. The impact includes potential data breaches, system downtime, and reputational damage.

Recommendation

  • Immediately upgrade Ajenti to version 2.2.15 or later to patch CVE-2026-35175 (see References).
  • Implement the Sigma rule Detect Suspicious Ajenti Package Installation to detect unauthorized package installations.
  • Review Ajenti access logs for unusual activity or attempts to access restricted functionalities.
]]>highadvisoryajentiauthorization-bypassprivilege-escalationCVE-2026-35175