Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability in the Kirby content management system could allow unauthorized users to install administrative access on public-facing websites. This issue arises when specific network headers are trusted incorrectly in certain server configurations. While the primary concern is confirming relevance, this could present a risk to sites that meet these specific technical criteria.
- An attacker could gain admin access.
- This impacts public websites with specific configurations.
- Verify if your Kirby sites are exposed.
Attack Path
How an attacker could exploit the issue
An attacker could remotely target a publicly accessible Kirby CMS if it is set up behind a reverse proxy without any user accounts configured. By manipulating specific request headers that the proxy passes along, an attacker could trick the system into believing it's receiving a request from a trusted internal source, bypassing security checks. This would allow them to install the Kirby Panel and create an administrative user.
- No user accounts configured.
- Manipulated IP headers.
- Unauthorized admin access.
Live Threat
Current exploitation, exposure, and threat context
When supported by the advisory, remote attackers could potentially install the Kirby Panel and create an administrator account on publicly accessible servers. This is possible for Kirby sites with no pre-configured user accounts when operating behind a reverse proxy that improperly trusts specific request headers.
- Unconfigured Kirby sites.
- Remote attackers could exploit trusted headers.
- Unauthorized administrative access to the Panel.
Operational Fix
Recommended remediation, mitigation, and detection steps
Kirby CMS instances deployed on publicly accessible servers behind a reverse proxy require immediate attention from application owners and infrastructure teams. The initial step is to locate all Kirby installations, verify their exposure and criticality, and identify the accountable system owner to plan remediation, which may involve coordination with vendors.
- Identify Kirby CMS application owners.
- Verify public reachability and critical assets.
- Plan vendor-coordinated updates.