{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pheditor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pheditor (All versions)","Pheditor (\u003e= 2.0.1, \u003c 2.0.6)"],"_cs_severities":["critical"],"_cs_tags":["hardcoded-credentials","rce","web-application","cve","web-vulnerability","command-injection","php"],"_cs_type":"advisory","_cs_vendors":["Pheditor"],"content_html":"\u003cp\u003ePheditor, a web-based file editor, is affected by a critical vulnerability, CVE-2026-55579, stemming from a hardcoded default password. The application ships with a default administrator password \u0026quot;admin,\u0026quot; which is stored as an unsalted SHA-512 hash in the \u003ccode\u003epheditor.php\u003c/code\u003e source file. There is no enforced mechanism to prompt a password change upon initial login, nor are there any lockout policies for incorrect attempts. This design flaw allows any unauthenticated attacker to bypass authentication by using the well-known default credentials. Upon successful login, the attacker gains full administrative control over the application's features, including file upload capabilities, arbitrary file read/write, and a terminal for remote code execution. This directly leads to server compromise, enabling data exfiltration, service disruption, and the establishment of persistent backdoors. All versions of Pheditor are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Pheditor instance exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the Pheditor web interface using the publicly known default password \u0026quot;admin.\u0026quot;\u003c/li\u003e\n\u003cli\u003ePheditor accepts the default credentials, grants the attacker an authenticated session, and sets a session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker loads the Pheditor interface, extracts the CSRF token from the HTML source, and gains full administrative control over the application's features.\u003c/li\u003e\n\u003cli\u003eLeveraging the authenticated session and CSRF token, the attacker accesses the built-in terminal feature.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the underlying server via the terminal, achieving remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with further actions such as arbitrary file upload, reading sensitive files, modifying application code, or deleting directories, leading to full server compromise and data impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability (CVE-2026-55579, CWE-798) grants an unauthenticated attacker full administrator access to the Pheditor application if default credentials are in use. This leads to high impact across confidentiality, integrity, and availability. Attackers can read any files accessible by the web server process, potentially leading to sensitive data exposure. Integrity is compromised through the ability to write/delete files, upload webshells, or modify application code. Furthermore, the terminal feature allows for arbitrary command execution, providing complete control over the underlying server. This could lead to full system compromise, data exfiltration, defacement, or denial of service through deletion of critical files and directories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eImmediately change the default 'admin' password\u003c/strong\u003e on all Pheditor instances to a strong, unique password.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement a robust password policy\u003c/strong\u003e that forces users to change default passwords upon first login.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnsure Pheditor instances are not exposed to the public internet\u003c/strong\u003e unless absolutely necessary, and protect them behind a firewall or VPN.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview web server access logs\u003c/strong\u003e for POST requests to \u003ccode\u003e/pheditor.php\u003c/code\u003e originating from unknown IP addresses, especially if \u003ccode\u003epheditor_password=admin\u003c/code\u003e was used in the request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:14:34Z","date_published":"2026-07-16T20:13:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pheditor-hardcoded-admin-password/","summary":"Pheditor contains a critical vulnerability (CVE-2026-55579) where a hardcoded default password 'admin' with no forced change mechanism upon first login allows an unauthenticated attacker to gain full administrative access, enabling arbitrary file read/write and remote code execution through the application's terminal feature, leading to complete server compromise.","title":"Pheditor Hardcoded Admin Password Leads to Remote Code Execution (CVE-2026-55579)","url":"https://feed.craftedsignal.io/briefs/2026-07-pheditor-hardcoded-admin-password/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pheditor 2.0.4"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","command-injection","php"],"_cs_type":"advisory","_cs_vendors":["Pheditor"],"content_html":"\u003cp\u003ePheditor version 2.0.4 is susceptible to an authenticated terminal command whitelist bypass vulnerability, identified as CVE-2026-54540. This flaw allows an attacker with legitimate access and \u003ccode\u003eterminal\u003c/code\u003e permissions to execute arbitrary operating system commands on the underlying web server. The vulnerability stems from how Pheditor's \u003ccode\u003eterminal\u003c/code\u003e feature validates user-submitted commands. While it checks if a command string begins with an entry from a predefined \u003ccode\u003eTERMINAL_COMMANDS\u003c/code\u003e whitelist, it fails to sanitize or block shell command substitution syntax, such as \u003ccode\u003e$()\u003c/code\u003e, before passing the full command directly to the \u003ccode\u003eshell_exec()\u003c/code\u003e PHP function. This permits an authenticated user to append malicious commands using substitution after a whitelisted prefix, effectively circumventing security controls and achieving remote code execution as the web server user. This is critical for deployments where \u003ccode\u003eTERMINAL_COMMANDS\u003c/code\u003e is relied upon to restrict administrative terminal access to a limited set of safe commands.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the Pheditor application with privileges that include \u003ccode\u003eterminal\u003c/code\u003e access.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the terminal feature within the Pheditor application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious command string that begins with a whitelisted command (e.g., \u003ccode\u003els\u003c/code\u003e) and appends a shell command substitution (e.g., \u003ccode\u003e$(arbitrary_command)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Pheditor application receives the command via a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003epheditor.php\u003c/code\u003e or a similar endpoint.\u003c/li\u003e\n\u003cli\u003eThe application performs a prefix check, confirming that the initial part of the attacker's command (e.g., \u003ccode\u003els\u003c/code\u003e) matches an entry in the \u003ccode\u003eTERMINAL_COMMANDS\u003c/code\u003e allowlist.\u003c/li\u003e\n\u003cli\u003eDespite the presence of shell metacharacters for command substitution, the application passes the entire, unsanitized command string to the \u003ccode\u003eshell_exec()\u003c/code\u003e PHP function.\u003c/li\u003e\n\u003cli\u003eThe underlying operating system shell executes the command, including the arbitrary commands embedded via substitution, leading to remote code execution as the web server user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54540 grants an authenticated attacker the ability to execute arbitrary shell commands as the web server user. This can lead to complete compromise of the Pheditor instance and potentially the underlying server. Attackers could exfiltrate sensitive data, deface the website, install backdoors, or pivot to other systems within the network. This vulnerability is particularly impactful for organizations that deploy Pheditor and rely on the \u003ccode\u003eTERMINAL_COMMANDS\u003c/code\u003e configuration to restrict terminal access to a controlled set of operations, as these restrictions can be trivially bypassed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to detect attempts at command substitution in Pheditor's terminal input.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP POST requests to \u003ccode\u003epheditor.php\u003c/code\u003e or similar endpoints that contain the \u003ccode\u003ecommand\u003c/code\u003e parameter with shell command substitution patterns (e.g., \u003ccode\u003e$()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003ePatch Pheditor to a version greater than 2.0.4, or implement the suggested fixes from the advisory, which include avoiding \u003ccode\u003eshell_exec()\u003c/code\u003e for user-controlled input, requiring exact command matches, or comprehensively rejecting shell metacharacters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T20:02:31Z","date_published":"2026-07-16T20:02:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pheditor-whitelist-bypass/","summary":"Pheditor 2.0.4 contains an authenticated command injection vulnerability, CVE-2026-54540, allowing a user with `terminal` permissions to bypass the `TERMINAL_COMMANDS` whitelist by leveraging shell command substitution to execute arbitrary shell commands as the web server user.","title":"Pheditor Authenticated Command Whitelist Bypass via Shell Command Substitution","url":"https://feed.craftedsignal.io/briefs/2026-07-pheditor-whitelist-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Pheditor","version":"https://jsonfeed.org/version/1.1"}