<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Hestiacp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/hestiacp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:20:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/hestiacp/feed.xml" rel="self" type="application/rss+xml"/><item><title>HestiaCP Authenticated OS Command Injection via DNS Record Types (CVE-2025-30007)</title><link>https://feed.craftedsignal.io/briefs/2026-07-hestiacp-os-command-injection/</link><pubDate>Fri, 10 Jul 2026 19:20:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-hestiacp-os-command-injection/</guid><description>An authenticated OS command injection vulnerability, CVE-2025-30007, in HestiaCP before version 1.9.5 allows low-privilege users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types, leading to full root code execution on the underlying host.</description><content:encoded><![CDATA[<p>CVE-2025-30007 describes a critical authenticated OS command injection vulnerability affecting HestiaCP versions prior to 1.9.5. This flaw enables any low-privilege authenticated user of a HestiaCP instance to escalate their privileges to root and execute arbitrary commands on the underlying Linux operating system. The vulnerability originates from insufficient input validation within the <code>is_dns_record_format_valid()</code> function and subsequent unsafe <code>eval</code>-based parsing in <code>update_domain_zone()</code>. By injecting a specially crafted single-quote character into certain DNS record type fields during the creation or modification of a DNS record, an attacker can prematurely terminate a variable assignment string, allowing their malicious payload to be executed directly as root. This vulnerability poses a significant threat to the integrity and confidentiality of systems running affected HestiaCP installations, potentially leading to complete system compromise and data loss.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: A low-privilege authenticated user gains access to the HestiaCP administration panel, typically through legitimate credentials or by compromising such credentials.</li>
<li><strong>Input Submission</strong>: The authenticated user navigates to the DNS management section within the HestiaCP panel and attempts to create or modify a DNS record, specifically targeting a field where DNS record types are expected.</li>
<li><strong>Command Injection</strong>: The user crafts a malicious payload containing a single-quote character (<code>'</code>) and injects it into the vulnerable DNS record type field, designed to break out of expected string assignments.</li>
<li><strong>Input Validation Bypass</strong>: The HestiaCP function <code>is_dns_record_format_valid()</code> fails to properly sanitize or validate the malicious input, allowing the injected single-quote character and the subsequent command payload to pass through.</li>
<li><strong>Unsafe Parsing</strong>: The <code>update_domain_zone()</code> function processes the unvalidated input using an <code>eval</code>-based parsing mechanism. This unsafe evaluation interprets the injected malicious payload as executable code rather than a literal string.</li>
<li><strong>Root Command Execution</strong>: HestiaCP executes the attacker's arbitrary commands directly on the underlying Linux host, inheriting root privileges due to the context of the HestiaCP process.</li>
<li><strong>System Compromise</strong>: With root-level command execution, the attacker achieves full control over the host system, enabling them to install backdoors, exfiltrate sensitive data, deploy malware, or further pivot within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2025-30007 grants low-privilege authenticated users complete root access to the underlying HestiaCP server. This severe impact means an attacker can take full control of the operating system, including all hosted websites, databases, and sensitive configuration files. Potential consequences include unauthorized data exfiltration, installation of persistent backdoors, deployment of ransomware, or the use of the compromised server as a platform for further attacks. This could lead to significant financial losses, reputational damage, and regulatory penalties for affected organizations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update HestiaCP to version 1.9.5 or later to patch CVE-2025-30007.</li>
<li>Review web server access logs for HestiaCP administration interfaces for unusual authentication patterns or attempts from unknown IPs.</li>
<li>Monitor system process creation logs on HestiaCP servers for processes spawned by the HestiaCP user (e.g., <code>www-data</code>, <code>nginx</code>) that are not part of normal operations, especially those indicative of shell commands or reverse shells.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>command-injection</category><category>privilege-escalation</category><category>linux</category><category>hestiacp</category></item></channel></rss>