CVE-2025-30007 in HestiaCP
Summary
by MITRE • 07/10/2026
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in is_dns_record_format_valid() combined with unsafe eval-based parsing in update_domain_zone() to prematurely close a variable assignment string and achieve full root code execution on the underlying host in a single DNS record creation step.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability exists within Hestia Control Panel versions prior to 1.9.5 and represents a critical authenticated OS command injection flaw that fundamentally undermines system security through improper input validation mechanisms. The vulnerability specifically targets the DNS record handling functionality where low-privilege authenticated users can manipulate the system by injecting a single-quote character into DNS record types, creating a chain of code execution that ultimately leads to root privilege escalation.
The technical exploitation occurs through a combination of insufficient input validation in the is_dns_record_format_valid() function and unsafe eval-based parsing within update_domain_zone(). When an attacker submits malicious DNS records containing single-quote characters, these inputs bypass proper sanitization checks and are subsequently processed through an eval operation that treats the injected characters as command delimiters rather than data. This fundamental flaw allows attackers to prematurely close variable assignment strings and inject arbitrary shell commands that execute with root privileges.
The operational impact of this vulnerability is severe as it enables attackers to achieve complete system compromise without requiring additional attack vectors or privilege escalation techniques. Once exploited, the attacker gains full root access to the underlying host system, allowing them to modify system files, install backdoors, steal sensitive data, and establish persistent access. The vulnerability is particularly dangerous because it requires only authentication to a low-privilege account and can be triggered through a single DNS record creation operation, making it highly accessible to attackers who have gained any level of user access.
This vulnerability aligns with CWE-78 and CWE-89 categories from the Common Weakness Enumeration framework, specifically representing improper neutralization of special elements used in OS commands and improper input validation. The attack pattern follows ATT&CK technique T1059.004 for command and scripting interpreter to execute code, while also demonstrating T1068 for exploit for privilege escalation. Organizations using affected versions of HestiaCP should immediately implement mitigations including upgrading to version 1.9.5 or later, implementing strict input validation measures, and monitoring DNS record creation activities for suspicious patterns that might indicate exploitation attempts.
The root cause stems from a lack of proper input sanitization and the dangerous use of eval operations with user-controllable data in a privileged context. This design flaw creates an environment where user-supplied data can directly influence system command execution, bypassing all normal security boundaries. The vulnerability demonstrates how seemingly minor input validation gaps can create catastrophic security consequences when combined with unsafe programming practices that process user input through dynamic code evaluation mechanisms rather than safe parsing approaches.
Security practitioners should prioritize this vulnerability for immediate remediation as it provides a direct path to root compromise and represents one of the most dangerous authenticated command injection flaws possible within a control panel environment. The ease of exploitation combined with the severe impact makes this vulnerability particularly concerning for hosting providers and system administrators who rely on HestiaCP for their infrastructure management, emphasizing the critical importance of timely patch deployment and comprehensive security monitoring of DNS-related activities.