External risk intelligence

HestiaCP vulnerability allows attackers full control of your server

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2026-43633

HestiaCP's web terminal has a flaw allowing unauthenticated attackers root access to your server by sending malicious HTTP headers, potentially exposing sensitive data.

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-43633

HestiaCP is a web-based hosting control panel, which is typically deployed as an externally reachable management surface. The vulnerable web terminal component is designed for remote administrative access, making it accessible via standard HTTP traffic from the internet in common deployment scenarios.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This issue in HestiaCP's web terminal could allow an unauthenticated attacker to run commands on your server with root privileges. It happens when specially crafted data is sent in HTTP headers, leading to the system executing unintended code. Teams should pay attention because this vulnerability grants full control over the affected system.

  • Enables root-level code execution.
  • Attack is remote and unauthenticated.
  • Affects systems with the web terminal enabled.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP headers to a vulnerable HestiaCP server. The server's PHP session handler will process these headers, but the Node.js web terminal component will misinterpret them as trusted session data, leading to the execution of arbitrary commands with root privileges.

  • Target vulnerable web terminal.
  • Inject data via HTTP headers.
  • Requires web terminal enabled.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to weaponize this vulnerability due to its critical impact and ease of exploitation. The ability to achieve root-level code execution without authentication on a web-facing service presents a significant opportunity for attackers to compromise servers. While there is no public exploit code available yet, the clear vulnerability description and associated proof-of-concept details make it a prime target for exploit development.

  • Unauthenticated remote code execution.
  • Web terminal component is externally accessible.
  • Root-level impact is highly desirable.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize discovering and assessing HestiaCP installations with the web terminal feature enabled, as this critical vulnerability allows unauthenticated remote code execution. Focus on identifying any signs of compromise by reviewing logs for suspicious HTTP header activity and command execution attempts, especially on systems with the web terminal component. If exploitation is suspected, immediately isolate affected services to prevent further lateral movement or data exfiltration.

  • Disable the web terminal feature.
  • Monitor for suspicious network traffic.
  • Update HestiaCP to a patched version.

Frequently asked questions

What is HestiaCP and its primary function in web hosting management?

HestiaCP is an open-source web hosting control panel designed to simplify server administration. It provides a user-friendly interface for managing websites, email accounts, databases, DNS zones, and other server-related tasks without requiring manual configuration file edits. It's a fork of the Vesta control panel and is actively developed.

What type of vulnerability does CVE-2026-43633 represent and how is it triggered?

CVE-2026-43633 is a critical deserialization vulnerability (CWE-502) in HestiaCP's web terminal component. It is triggered when attackers inject crafted data into HTTP headers. This data is processed by the PHP session handler but then incorrectly deserialized by the Node.js web terminal as trusted session information, leading to arbitrary command execution.

What is the scope of impact for CVE-2026-43633?

Successful exploitation of CVE-2026-43633 allows unauthenticated remote attackers to achieve root-level code execution. This means an attacker can gain complete control over the affected server, including all hosted accounts, databases, and files, provided the web terminal feature is enabled.

What is the relevance of CVE-2026-43633 in the context of HestiaCP's web terminal feature?

The relevance of CVE-2026-43633 stems from the web terminal's design, which is intended for remote administrative access and is often externally reachable. The vulnerability allows for unauthenticated remote code execution, making any HestiaCP installation with the web terminal enabled a significant target.

What actions should be taken to address CVE-2026-43633?

To mitigate CVE-2026-43633, administrators should immediately update HestiaCP to a patched version, such as 1.9.5. If an immediate update is not possible, the web terminal feature should be disabled. Additionally, restricting network access to the management interface and monitoring logs for suspicious activity are recommended practices.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished