Impact
A broken access control flaw in the HestiaCP panel’s cronjob feature allows low‑privilege users to modify scheduled tasks. By editing a cron entry, the attacker can trigger HestiaCP management scripts with password‑less sudo, effectively granting themselves the privileges of an administrator. This leads to application‑level takeover and potentially the underlying web server, exposing all data and services controlled by that server. The weakness is a classic case of broken access control (CWE‑287).
Affected Systems
Affected: HestiaCP (all current releases). The vulnerability appears to influence all builds that expose the cronjob functionality.
Risk and Exploitability
The CVSS base score of 8.3 denotes high severity, with significant impact on confidentiality, integrity, and availability. EPSS is not available, and the vulnerability is not listed in CISA KEV, suggesting limited timely exploitation. Exploitation requires an authenticated low‑privilege account in the HestiaCP web interface, after which the attacker can manipulate the cron configuration to run privileged scripts. In the absence of a publicly issued fix, the attack vector is presumed to be local, authenticated, relying on the web panel.
OpenCVE Enrichment