CVE-2021-47871
Unknown Unknown - Not Provided
Arbitrary File Write in Hestia Control Panel 1.3.2 via API

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-14
NVD
CVE-2021-47871
EUVD
EUVD-2026-3620
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hestiacp hestia_control_panel to 1.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47871 is an arbitrary file write vulnerability in Hestia Control Panel version 1.3.2 and earlier. Authenticated attackers can exploit the API endpoint index.php by using the "v-make-tmp-file" command to write files to arbitrary locations on the server. For example, an attacker can write SSH public keys into files like /home/admin/.ssh/authorized_keys, potentially enabling unauthorized SSH access. This vulnerability allows attackers to place malicious files anywhere on the server, which can lead to further compromise. [1, 3]

Impact Analysis

This vulnerability can allow an authenticated attacker to write arbitrary files anywhere on the server, including malicious SSH keys. This can lead to unauthorized remote access, remote code execution, and full compromise of the server. The attacker could maintain persistent access or disrupt server operations, severely impacting confidentiality, integrity, and availability of the system. [1, 3]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the API endpoint at port 8083, specifically to https://TARGET:8083/api/index.php. Look for requests containing the 'v-make-tmp-file' command with parameters that attempt to write files, such as SSH keys, to arbitrary locations. A sample detection command using curl to test the vulnerability could be crafted to send a POST request with parameters 'hash', 'returncode', 'cmd', and arguments specifying file content and destination path. For example, sending a POST request with 'cmd=v-make-tmp-file' and arguments targeting the '/home/admin/.ssh/authorized_keys' file. Network intrusion detection systems can be configured to alert on such patterns. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Hestia Control Panel to version 1.3.3 or later, where this arbitrary file write vulnerability has been fixed. Additionally, restrict access to the API endpoint to trusted users only, enforce strong authentication, and monitor logs for suspicious activity involving the 'v-make-tmp-file' command. If upgrading immediately is not possible, consider disabling or restricting the vulnerable API functionality until a patch can be applied. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart