{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/hestiacp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-43634"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HestiaCP (1.2.0 - 1.9.4)"],"_cs_severities":["high"],"_cs_tags":["ip-spoofing","authentication-bypass","cve"],"_cs_type":"advisory","_cs_vendors":["HestiaCP"],"content_html":"\u003cp\u003eHestiaCP, a popular open-source hosting control panel, is vulnerable to IP address spoofing in versions 1.2.0 through 1.9.4. This vulnerability, identified as CVE-2026-43634, enables unauthenticated remote attackers to forge the source IP address of HTTP requests by injecting an arbitrary IP address into the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e HTTP header. This header is intended to be used when HestiaCP is deployed behind Cloudflare, but the application fails to validate that the request indeed originated from Cloudflare\u0026rsquo;s network. By exploiting this flaw, attackers can bypass security measures like fail2ban\u0026rsquo;s brute-force protection, circumvent per-user IP address allowlists, and manipulate authentication audit logs. The lack of proper validation on this header presents a significant risk to the integrity and security of HestiaCP installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable HestiaCP instance running versions 1.2.0 through 1.9.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an authentication endpoint (e.g., login page).\u003c/li\u003e\n\u003cli\u003eThe attacker adds the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header to the HTTP request, setting its value to a desired, spoofed IP address (e.g., a trusted IP or a local address).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the vulnerable HestiaCP server.\u003c/li\u003e\n\u003cli\u003eHestiaCP incorrectly uses the spoofed IP address from the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header for authentication checks and logging.\u003c/li\u003e\n\u003cli\u003eThe attacker circumvents fail2ban\u0026rsquo;s brute-force protection, as the repeated failed login attempts appear to originate from the spoofed IP address, which may be whitelisted or otherwise ignored by fail2ban.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses per-user IP address allowlists if the spoofed IP matches an allowed IP address for the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates or performs privileged actions, while the authentication logs record the spoofed IP address, hindering accurate auditing and incident response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass critical security controls, potentially leading to unauthorized access to sensitive data and system resources. By circumventing fail2ban, attackers can perform brute-force attacks without being blocked. Bypassing IP address allowlists grants unauthorized access to restricted areas of the control panel. Furthermore, by poisoning authentication logs, attackers can cover their tracks and complicate incident investigations. This could affect any HestiaCP instance running versions 1.2.0 to 1.9.4, potentially impacting thousands of servers and their hosted websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect HestiaCP IP Spoofing via CF-Connecting-IP Header\u0026rdquo; to identify attempts to exploit CVE-2026-43634 in your environment.\u003c/li\u003e\n\u003cli\u003eApply available patches or upgrade HestiaCP instances to a version beyond 1.9.4 to remediate CVE-2026-43634.\u003c/li\u003e\n\u003cli\u003eInspect web server access logs for HTTP requests containing the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header and investigate any anomalies, correlating with authentication failures or suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement server-side validation to ensure that the \u003ccode\u003eCF-Connecting-IP\u003c/code\u003e header only contains IP addresses originating from legitimate Cloudflare infrastructure, based on their published IP ranges.\u003c/li\u003e\n\u003cli\u003eUse the provided information on affected products and versions to prioritize patching efforts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:19:10Z","date_published":"2026-05-19T15:19:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-ip-spoofing/","summary":"HestiaCP versions 1.2.0 through 1.9.4 are vulnerable to IP spoofing (CVE-2026-43634), allowing unauthenticated remote attackers to bypass authentication security controls by manipulating the CF-Connecting-IP HTTP header to circumvent fail2ban, bypass IP allowlists, and poison authentication logs.","title":"HestiaCP IP Spoofing Vulnerability (CVE-2026-43634)","url":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-ip-spoofing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-43633"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HestiaCP 1.9.0","HestiaCP 1.9.1","HestiaCP 1.9.2","HestiaCP 1.9.3","HestiaCP 1.9.4"],"_cs_severities":["critical"],"_cs_tags":["deserialization","rce","cve"],"_cs_type":"threat","_cs_vendors":["HestiaCP"],"content_html":"\u003cp\u003eHestiaCP versions 1.9.0, 1.9.1, 1.9.2, 1.9.3, and 1.9.4 are affected by a critical deserialization vulnerability (CVE-2026-43633) within the web terminal component. This vulnerability arises from an inconsistency in session handling between PHP and Node.js. Specifically, the PHP session handler processes HTTP headers containing crafted data, but the Node.js web terminal component incorrectly deserializes these values, treating them as trusted session data. This discrepancy enables unauthenticated remote attackers to execute arbitrary code at the root level on vulnerable systems where the web terminal feature is enabled. The attacker exploits the session format mismatch to inject malicious commands through HTTP headers, leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the HestiaCP server.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes malicious serialized data within the HTTP headers, targeting session variables used by the web terminal component.\u003c/li\u003e\n\u003cli\u003eThe PHP session handler processes and stores the malicious data in the session.\u003c/li\u003e\n\u003cli\u003eThe Node.js web terminal component deserializes the session data. Due to the format mismatch between PHP\u0026rsquo;s serialization and Node.js\u0026rsquo;s deserialization, the injected malicious data is interpreted as code.\u003c/li\u003e\n\u003cli\u003eThe deserialized code is executed within the context of the Node.js web terminal, granting the attacker control.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution to escalate privileges to root.\u003c/li\u003e\n\u003cli\u003eWith root privileges, the attacker can install malware, create new user accounts, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistent access and control over the compromised HestiaCP server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated remote attackers to gain complete control over the HestiaCP server. This can lead to data breaches, system downtime, and the potential for further attacks on other systems within the network. Given the CVSS v3.1 base score of 10.0, this is a highly critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a version of HestiaCP beyond 1.9.4 to remediate CVE-2026-43633.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HestiaCP CVE-2026-43633 Attack\u003c/code\u003e to identify exploitation attempts based on suspicious HTTP headers in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual patterns in HTTP headers, specifically those related to session management.\u003c/li\u003e\n\u003cli\u003eDisable the web terminal feature if it is not actively used to reduce the attack surface until patches can be applied.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:17:43Z","date_published":"2026-05-19T14:17:43Z","id":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-deserialization/","summary":"HestiaCP versions 1.9.0 through 1.9.4 are vulnerable to unauthenticated remote code execution due to a deserialization flaw in the web terminal component (CVE-2026-43633), stemming from a session format mismatch between PHP and Node.js, allowing attackers to inject malicious data via HTTP headers.","title":"HestiaCP Deserialization Vulnerability (CVE-2026-43633)","url":"https://feed.craftedsignal.io/briefs/2026-05-hestiacp-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — HestiaCP","version":"https://jsonfeed.org/version/1.1"}