CVE-2025-56413 Overview
CVE-2025-56413 is an operating system (OS) command injection vulnerability in the OperateSSH function of 1Panel version 2.0.8. The flaw resides in the /api/v2/hosts/ssh/operate endpoint, where the operation parameter is passed to a shell context without proper sanitization. Authenticated attackers can inject arbitrary shell commands and execute them with the privileges of the 1Panel service. The issue is tracked under CWE-78: Improper Neutralization of Special Elements used in an OS Command. 1Panel is a widely deployed open source Linux server management panel developed by Fit2cloud.
Critical Impact
Authenticated attackers can achieve arbitrary command execution on the underlying host through the SSH operation API, leading to full server compromise.
Affected Products
- Fit2cloud 1Panel 2.0.8
- Deployments exposing the /api/v2/hosts/ssh/operate endpoint
- Linux servers managed through the 1Panel control panel
Discovery Timeline
- 2025-09-10 - CVE-2025-56413 published to the National Vulnerability Database (NVD)
- 2025-11-18 - Last updated in the NVD database
Technical Details for CVE-2025-56413
Vulnerability Analysis
The vulnerability exists in the OperateSSH function exposed through the /api/v2/hosts/ssh/operate API route in 1Panel 2.0.8. The handler accepts an operation parameter from the HTTP request body and incorporates it into a system command used to manage the SSH service. Because the parameter is not validated or escaped, attackers can append shell metacharacters such as ;, &&, |, or backticks to chain additional commands. The injected payload executes within the same shell context as the 1Panel backend process, which typically runs with elevated privileges to manage host services.
Successful exploitation grants the attacker arbitrary command execution on the managed Linux host. From this position, an attacker can read sensitive files, install persistence, pivot to internal networks, or deploy additional malware.
Root Cause
The root cause is improper neutralization of special elements in an OS command [CWE-78]. The operation field is concatenated into a shell invocation without an allowlist check or argument escaping. Safe alternatives such as parameterized process execution APIs that accept argument arrays were not used.
Attack Vector
The attack is network-reachable and requires low-level authenticated access to the 1Panel API. An attacker sends a crafted HTTP request to /api/v2/hosts/ssh/operate with a malicious operation value such as a legitimate keyword followed by shell separators and arbitrary commands. The 1Panel backend then invokes the shell, executing the appended payload. See the GitHub CVE Issue Discussion and GitHub Yu Project Documentation for additional context.
// No verified proof-of-concept code is published.
// The vulnerable flow can be summarized as:
// 1. POST /api/v2/hosts/ssh/operate with JSON body containing
// an "operation" field controlled by the attacker.
// 2. Backend OperateSSH handler passes "operation" into a shell command.
// 3. Shell metacharacters in "operation" cause additional commands to run.
Detection Methods for CVE-2025-56413
Indicators of Compromise
- Unexpected POST requests to /api/v2/hosts/ssh/operate containing shell metacharacters such as ;, |, &&, $(, or backticks in the operation parameter.
- 1Panel backend process spawning unusual child processes such as sh, bash, curl, wget, nc, or python outside of routine SSH service management.
- New cron jobs, systemd units, SSH authorized keys, or user accounts created shortly after access to the SSH operate endpoint.
Detection Strategies
- Inspect 1Panel HTTP access logs and reverse proxy logs for requests to /api/v2/hosts/ssh/operate where the operation value does not match the expected enumeration of SSH actions.
- Correlate process creation telemetry on the host with the 1Panel parent process to identify shell invocations that follow API calls to the SSH operate endpoint.
- Apply web application firewall (WAF) rules that flag shell metacharacters in JSON request bodies sent to 1Panel API paths.
Monitoring Recommendations
- Forward 1Panel application logs, web server logs, and Linux audit (auditd) execve events to a centralized SIEM for correlation.
- Alert on outbound network connections initiated by the 1Panel service to non-administrative destinations, which can indicate command-injection-driven payload retrieval.
- Baseline the legitimate operation values used by administrators and alert on deviations from that allowlist.
How to Mitigate CVE-2025-56413
Immediate Actions Required
- Restrict network access to the 1Panel management interface to trusted administrative networks or VPN-only access.
- Rotate 1Panel administrative credentials and review all existing accounts for unauthorized additions.
- Audit the host for signs of post-exploitation activity, including new SSH keys, scheduled tasks, and unexpected listening services.
Patch Information
No vendor advisory URL is published in the NVD record at the time of writing. Administrators should monitor the 1Panel project repository for releases newer than 2.0.8 that address the OperateSSH handler and upgrade as soon as a fixed version becomes available.
Workarounds
- Block external access to the /api/v2/hosts/ssh/operate endpoint at a reverse proxy or WAF until a patched release is installed.
- Deploy WAF signatures that reject requests containing shell metacharacters in the operation field.
- Run the 1Panel service under a least-privilege account where feasible to limit the impact of command execution.
# Example nginx snippet to block external access to the vulnerable endpoint
location = /api/v2/hosts/ssh/operate {
allow 10.0.0.0/8; # internal admin network
deny all;
proxy_pass http://1panel_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
