CVE-2021-47949 Overview
CVE-2021-47949 is an authenticated command execution vulnerability in CyberPanel 2.1, a web hosting control panel. The flaw resides in the filemanager controller endpoint, which fails to validate symbolic link operations against user-controlled paths. Authenticated attackers send crafted POST requests to /filemanager/controller and manipulate the completeStartingPath parameter to create symlinks pointing to arbitrary filesystem locations. This primitive enables reading sensitive files such as database credentials and chaining to remote code execution through the /websites/fetchFolderDetails endpoint. The vulnerability is classified as a symlink following weakness [CWE-59].
Critical Impact
Authenticated attackers can read arbitrary files including database credentials and achieve remote code execution on the underlying host.
Affected Products
- CyberPanel 2.1
- CyberPanel filemanager controller component
- CyberPanel websites/fetchFolderDetails endpoint
Discovery Timeline
- 2026-05-10 - CVE-2021-47949 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2021-47949
Vulnerability Analysis
The vulnerability is a symlink attack [CWE-59] within CyberPanel's file management subsystem. The filemanager/controller endpoint accepts a completeStartingPath parameter from authenticated users and performs file operations without resolving or restricting the target path. Attackers issue POST requests that instruct the controller to create symbolic links from a user-writable location to sensitive system files. Because the application later reads or processes the symlinked path with elevated privileges, the contents of arbitrary files become accessible through the panel.
The attack chain extends beyond file disclosure. After staging a symlink, attackers invoke the /websites/fetchFolderDetails endpoint, which executes shell operations against the attacker-controlled path. This second stage transforms the file-read primitive into arbitrary command execution under the service account running CyberPanel.
Root Cause
The root cause is missing validation of symbolic links and insufficient path canonicalization on the completeStartingPath parameter. CyberPanel trusts the resolved file path supplied by an authenticated user and does not verify that the target stays within the user's designated directory. This permits link-following operations that cross trust boundaries.
Attack Vector
Exploitation requires network access and valid authenticated credentials on the CyberPanel instance. The attacker submits a POST request to /filemanager/controller with a malicious completeStartingPath value to create a symlink pointing to a target such as /etc/passwd or the CyberPanel database configuration file. A follow-up request to /websites/fetchFolderDetails triggers processing of the symlinked path and yields command execution. Refer to the Exploit-DB #50230 entry and the VulnCheck advisory for the full request structure.
Detection Methods for CVE-2021-47949
Indicators of Compromise
- Unexpected symbolic links inside CyberPanel-managed directories such as /home/<site>/public_html that resolve to system paths like /etc/, /root/, or /usr/local/CyberCP.
- POST requests to /filemanager/controller containing a completeStartingPath parameter with traversal sequences or absolute paths outside the user's home directory.
- Subsequent requests to /websites/fetchFolderDetails from the same session immediately after symlink creation.
- Access patterns to mysqlUtilities.py or other database credential files from web service accounts.
Detection Strategies
- Inspect CyberPanel access logs for POST requests to /filemanager/controller and /websites/fetchFolderDetails paired within the same authenticated session.
- Monitor the filesystem for symlink() syscalls originating from the CyberPanel process where the target path exits the tenant's home directory.
- Alert on shell command spawns from the CyberPanel application user that do not match normal control-panel operations.
Monitoring Recommendations
- Enable verbose audit logging for the filemanager and websites modules and forward logs to a centralized SIEM.
- Track creation of symbolic links inside web-accessible directories using filesystem integrity monitoring.
- Review CyberPanel user accounts and disable any that are unused or have weak credentials, since exploitation requires authentication.
How to Mitigate CVE-2021-47949
Immediate Actions Required
- Upgrade CyberPanel to a version later than 2.1 that addresses the symlink validation flaw. Track releases through the CyberPanel GitHub repository.
- Audit all CyberPanel accounts and rotate credentials, particularly for any user that does not require file manager access.
- Inspect managed sites for unauthorized symbolic links pointing outside their respective home directories and remove them.
- Rotate database credentials referenced by CyberPanel if exploitation is suspected.
Patch Information
Review the CyberPanel official site and the GitHub repository for the latest release that hardens the filemanager controller against symlink attacks. The VulnCheck advisory documents the technical scope of the fix.
Workarounds
- Restrict network access to the CyberPanel administrative interface using firewall rules or a VPN until patching is complete.
- Disable or limit access to the file manager module for non-administrative users.
- Run CyberPanel under a least-privilege service account and apply mandatory access controls such as AppArmor or SELinux profiles to restrict symlink traversal.
- Configure the underlying filesystem with nosymfollow mount options on tenant directories where supported.
# Example: restrict CyberPanel administrative access at the host firewall
sudo ufw default deny incoming
sudo ufw allow from <trusted_admin_ip> to any port 8090 proto tcp
sudo ufw enable
# Example: prevent symlink following on a tenant directory (kernel >= 5.10)
sudo mount -o remount,nosymfollow /home
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
