https://feed.craftedsignal.io/vendors/hestiacp/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 19 May 2026 15:19:10 +0000https://feed.craftedsignal.io/briefs/2026-05-hestiacp-ip-spoofing/Tue, 19 May 2026 15:19:10 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-hestiacp-ip-spoofing/HestiaCP versions 1.2.0 through 1.9.4 are vulnerable to IP spoofing (CVE-2026-43634), allowing unauthenticated remote attackers to bypass authentication security controls by manipulating the CF-Connecting-IP HTTP header to circumvent fail2ban, bypass IP allowlists, and poison authentication logs.HestiaCP, a popular open-source hosting control panel, is vulnerable to IP address spoofing in versions 1.2.0 through 1.9.4. This vulnerability, identified as CVE-2026-43634, enables unauthenticated remote attackers to forge the source IP address of HTTP requests by injecting an arbitrary IP address into the CF-Connecting-IP HTTP header. This header is intended to be used when HestiaCP is deployed behind Cloudflare, but the application fails to validate that the request indeed originated from Cloudflare’s network. By exploiting this flaw, attackers can bypass security measures like fail2ban’s brute-force protection, circumvent per-user IP address allowlists, and manipulate authentication audit logs. The lack of proper validation on this header presents a significant risk to the integrity and security of HestiaCP installations.

Attack Chain

1. The attacker identifies a vulnerable HestiaCP instance running versions 1.2.0 through 1.9.4.
2. The attacker crafts a malicious HTTP request targeting an authentication endpoint (e.g., login page).
3. The attacker adds the CF-Connecting-IP header to the HTTP request, setting its value to a desired, spoofed IP address (e.g., a trusted IP or a local address).
4. The attacker sends the crafted HTTP request to the vulnerable HestiaCP server.
5. HestiaCP incorrectly uses the spoofed IP address from the CF-Connecting-IP header for authentication checks and logging.
6. The attacker circumvents fail2ban’s brute-force protection, as the repeated failed login attempts appear to originate from the spoofed IP address, which may be whitelisted or otherwise ignored by fail2ban.
7. The attacker bypasses per-user IP address allowlists if the spoofed IP matches an allowed IP address for the target user.
8. The attacker successfully authenticates or performs privileged actions, while the authentication logs record the spoofed IP address, hindering accurate auditing and incident response.

Impact

Successful exploitation of this vulnerability allows attackers to bypass critical security controls, potentially leading to unauthorized access to sensitive data and system resources. By circumventing fail2ban, attackers can perform brute-force attacks without being blocked. Bypassing IP address allowlists grants unauthorized access to restricted areas of the control panel. Furthermore, by poisoning authentication logs, attackers can cover their tracks and complicate incident investigations. This could affect any HestiaCP instance running versions 1.2.0 to 1.9.4, potentially impacting thousands of servers and their hosted websites.

Recommendation

• Deploy the Sigma rule “Detect HestiaCP IP Spoofing via CF-Connecting-IP Header” to identify attempts to exploit CVE-2026-43634 in your environment.
• Apply available patches or upgrade HestiaCP instances to a version beyond 1.9.4 to remediate CVE-2026-43634.
• Inspect web server access logs for HTTP requests containing the CF-Connecting-IP header and investigate any anomalies, correlating with authentication failures or suspicious activity.
• Implement server-side validation to ensure that the CF-Connecting-IP header only contains IP addresses originating from legitimate Cloudflare infrastructure, based on their published IP ranges.
• Use the provided information on affected products and versions to prioritize patching efforts.

]]>highadvisoryip-spoofingauthentication-bypasscvehttps://feed.craftedsignal.io/briefs/2026-05-hestiacp-deserialization/Tue, 19 May 2026 14:17:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-hestiacp-deserialization/HestiaCP versions 1.9.0 through 1.9.4 are vulnerable to unauthenticated remote code execution due to a deserialization flaw in the web terminal component (CVE-2026-43633), stemming from a session format mismatch between PHP and Node.js, allowing attackers to inject malicious data via HTTP headers.HestiaCP versions 1.9.0, 1.9.1, 1.9.2, 1.9.3, and 1.9.4 are affected by a critical deserialization vulnerability (CVE-2026-43633) within the web terminal component. This vulnerability arises from an inconsistency in session handling between PHP and Node.js. Specifically, the PHP session handler processes HTTP headers containing crafted data, but the Node.js web terminal component incorrectly deserializes these values, treating them as trusted session data. This discrepancy enables unauthenticated remote attackers to execute arbitrary code at the root level on vulnerable systems where the web terminal feature is enabled. The attacker exploits the session format mismatch to inject malicious commands through HTTP headers, leading to full system compromise.

Attack Chain

1. The attacker sends a crafted HTTP request to the HestiaCP server.
2. The HTTP request includes malicious serialized data within the HTTP headers, targeting session variables used by the web terminal component.
3. The PHP session handler processes and stores the malicious data in the session.
4. The Node.js web terminal component deserializes the session data. Due to the format mismatch between PHP’s serialization and Node.js’s deserialization, the injected malicious data is interpreted as code.
5. The deserialized code is executed within the context of the Node.js web terminal, granting the attacker control.
6. The attacker leverages the initial code execution to escalate privileges to root.
7. With root privileges, the attacker can install malware, create new user accounts, or exfiltrate sensitive data.
8. The attacker achieves persistent access and control over the compromised HestiaCP server.

Impact

Successful exploitation of this vulnerability allows unauthenticated remote attackers to gain complete control over the HestiaCP server. This can lead to data breaches, system downtime, and the potential for further attacks on other systems within the network. Given the CVSS v3.1 base score of 10.0, this is a highly critical vulnerability.

Recommendation

• Apply available patches or upgrade to a version of HestiaCP beyond 1.9.4 to remediate CVE-2026-43633.
• Deploy the Sigma rule Detect HestiaCP CVE-2026-43633 Attack to identify exploitation attempts based on suspicious HTTP headers in web server logs.
• Monitor web server logs for unusual patterns in HTTP headers, specifically those related to session management.
• Disable the web terminal feature if it is not actively used to reduce the attack surface until patches can be applied.

]]>criticalthreatdeserializationrcecve