{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-35175/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ajenti","authorization-bypass","privilege-escalation","CVE-2026-35175"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAjenti is a web-based system administration panel. Prior to version 2.2.15, a flaw exists in the \u003ccode\u003eauth_users\u003c/code\u003e authentication plugin that permits authenticated users lacking superuser privileges to install custom packages. This vulnerability, identified as CVE-2026-35175, allows a low-privileged user to bypass intended authorization checks, potentially escalating their privileges and compromising the entire system. An attacker could leverage this vulnerability to install malicious packages, execute arbitrary code with elevated privileges, and gain unauthorized access to sensitive data or system functionalities. Organizations using vulnerable versions of Ajenti are at risk of internal privilege escalation attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the Ajenti web panel with a valid, non-superuser account using the \u003ccode\u003eauth_users\u003c/code\u003e plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the custom package installation feature within the Ajenti web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious custom package designed to execute arbitrary commands or install backdoors.\u003c/li\u003e\n\u003cli\u003eAjenti fails to properly validate the user\u0026rsquo;s privileges before initiating the package installation process.\u003c/li\u003e\n\u003cli\u003eThe malicious package is installed with the privileges of the Ajenti process, which may include elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe malicious package executes its payload, potentially installing a reverse shell, creating new administrative accounts, or modifying critical system files.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the installed backdoor or elevated privileges to gain persistent access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an authenticated, non-superuser user to execute arbitrary code with elevated privileges. This can lead to full system compromise, data theft, and disruption of services. While the precise number of affected installations is unknown, any organization running Ajenti versions prior to 2.2.15 with the \u003ccode\u003eauth_users\u003c/code\u003e authentication plugin enabled is vulnerable. The impact includes potential data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Ajenti to version 2.2.15 or later to patch CVE-2026-35175 (see References).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Ajenti Package Installation\u003c/code\u003e to detect unauthorized package installations.\u003c/li\u003e\n\u003cli\u003eReview Ajenti access logs for unusual activity or attempts to access restricted functionalities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:57:43Z","date_published":"2026-04-03T03:57:43Z","id":"/briefs/2026-04-ajenti-auth-bypass/","summary":"Ajenti versions before 2.2.15 contain an authorization bypass vulnerability that allows authenticated non-superuser users to install custom packages, potentially leading to privilege escalation and system compromise.","title":"Ajenti Authorization Bypass Vulnerability (CVE-2026-35175)","url":"https://feed.craftedsignal.io/briefs/2026-04-ajenti-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-35175","version":"https://jsonfeed.org/version/1.1"}