Key Information on the Vulnernability Date: June 25th, 2020 Title: (0Day) CentOS Web Panel ajax_mod_security check_ip Command Injection Remote Code Execution Vulnerability IDs: - ZDI-20-738 - ZDI-CAN-9707 - CVE-2020-15421 CVSS Score: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected: - Vendors: CentOS Web Panel - Products: CentOS Web Panel Vulnerability Details: - Allows remote attackers to execute arbitrary code on affected instances of CentOS Web Panel without requiring authentication. - Flaw is in , where parameter parsing fails to properly validate user-supplied strings before executing a system call, leading to code execution as root. Disclosure Timeline: - 2020-01-23: Vulnerability reported to vendor - 2020-06-25: Public advisory release coordinated with ZDI Research Credit: @PaulosYibel & CasperTea Mitigation: - Restrict service interaction to trusted machines using firewall rules or whitelisting for legitimate clients and servers.