Cyber Resilience

CVE-2021-47871

HighPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47871 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Hestiacp (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2021-47871 is an arbitrary file write vulnerability in Hestia Control Panel version 1.3.2. The issue resides in the API endpoint at index.php, where the v-make-tmp-file command enables writing files to arbitrary locations on the server, such as SSH keys or other content to specific file paths. It is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-73 (External Control of File Name or Path). The vulnerability was published on 2026-01-21.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows writing arbitrary files to sensitive locations, potentially enabling privilege escalation, persistent access via SSH keys, or further compromise of the hosting server.

Mitigation details and patches are referenced in advisories from the Hestia Control Panel GitHub repository (https://github.com/hestiacp/hestiacp), official website (https://hestiacp.com/), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/49667), and a Vulncheck advisory (https://www.vulncheck.com/advisories/hestia-control-panel-arbitrary-file-write). Security practitioners should consult these sources for updates and remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific…

more

file paths on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098.004 SSH Authorized Keys Persistence
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
Why these techniques?

Arbitrary file write directly enables placement of SSH authorized_keys for persistence (T1098.004) and is commonly leveraged for local privilege escalation (T1068) on the host.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20931Shared CWE-73
CVE-2026-32204Shared CWE-73
CVE-2025-59291Shared CWE-73
CVE-2026-24287Shared CWE-73
CVE-2025-59292Shared CWE-73
CVE-2026-41088Shared CWE-73
CVE-2021-47746Shared CWE-73
CVE-2024-22341Shared CWE-73
CVE-2023-45588Shared CWE-73
CVE-2026-30289Shared CWE-73

Affected Assets

Hestiacp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates arbitrary file writes by requiring validation of file path inputs to the v-make-tmp-file API command.

prevent

Addresses the vulnerability through timely flaw remediation by applying patches that fix the improper file handling in Hestia Control Panel.

prevent

Limits damage from low-privilege authenticated attackers by enforcing least privilege on accounts accessing the API endpoint.

References