CVE-2021-47949 Cyberpanel CVE debrief

Who should care

Teams running CyberPanel, especially administrators exposing the panel to authenticated users, should treat this as a high-priority issue. Security teams should care because the impact includes sensitive file disclosure and remote code execution once an attacker has valid access.

Technical summary

The supplied record says the flaw is an authenticated vulnerability in CyberPanel 2.1 involving symlink attacks. NVD maps it to CWE-59 (improper link resolution before file access). The attack path described in the source is: use POST requests to /filemanager/controller, manipulate the completeStartingPath parameter to create symbolic links, then use /websites/fetchFolderDetails to read files and execute shell commands. The record also lists high-impact CVSS characteristics, including network access, low attack complexity, and required privileges.

Defensive priority

High. Because the issue enables both arbitrary file read and remote code execution after authentication, remediation should be treated as urgent for any exposed CyberPanel deployment.

Recommended defensive actions

• Identify all CyberPanel instances and confirm whether the affected version range includes CyberPanel 2.1 as described in the source.
• Restrict access to CyberPanel administration interfaces to trusted networks and authenticated administrative users only.
• Review filemanager and website-management endpoints for unexpected symlink creation or abnormal use of completeStartingPath.
• Audit server-side logs for suspicious POST requests to /filemanager/controller and /websites/fetchFolderDetails.
• Rotate credentials and secrets that may have been exposed if the panel was reachable by an attacker.
• Apply vendor guidance or upgrade to a version that addresses the issue before re-enabling broad access.
• Treat any confirmed exploitation as a potential full compromise and investigate for additional persistence or post-exploitation activity.

Evidence notes

This debrief is based only on the supplied CVE record and its listed references. The record states: CyberPanel 2.1 is affected; authenticated attackers can exploit symlink attacks via /filemanager/controller; completeStartingPath can be manipulated; sensitive files such as database credentials may be read; and remote code execution is possible via /websites/fetchFolderDetails. NVD metadata in the supplied source classifies the weakness as CWE-59 and provides a CVSS v4 vector indicating network attack, low complexity, and high impacts to confidentiality, integrity, and availability. The supplied reference list includes the CVE record, NVD detail page, CyberPanel site, GitHub repository, Exploit-DB entry, and a VulnCheck advisory URL, but only the facts explicitly present in the supplied corpus were used here.

Official resources