Cyber Resilience

CVE-2025-54424

HighPublic PoCRCE

Published: 01 August 2025

Published
01 August 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0119 79.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54424 is a high-severity Command Injection (CWE-77) vulnerability in Fit2Cloud 1Panel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

1Panel is a web-based management interface and MCP Server for Linux servers that handles websites, files, containers, databases, and LLMs. In versions 2.0.5 and earlier, the HTTPS communication channel between its Core and Agent components performs incomplete certificate verification. This flaw, tracked as CVE-2025-54424 with CVSS 8.1 and CWE-77, allows unauthorized access to privileged interfaces that include command execution capabilities, ultimately enabling remote code execution.

An unauthenticated network attacker can exploit the weak certificate checks to reach high-privilege endpoints without valid credentials. Because numerous interfaces permit arbitrary command execution, successful exploitation grants full remote code execution on the managed server. The attack requires high complexity due to the specific protocol interaction but needs no user interaction or prior privileges.

The vulnerability is resolved in version 2.0.6. Official patches and advisories are available in the 1Panel GitHub repository, including the release tag v2.0.6, the security advisory GHSA-8j63-96wh-wh3j, and the commit that implements proper certificate validation. Administrators should upgrade promptly and verify that Core-Agent traffic uses the corrected HTTPS handling.

EPSS remains low and unchanged at 0.0119 with no observed rise after disclosure.

EU & UK References

Vulnerability details

1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate…

more

verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: github copilot, llms, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1057 Process Discovery Discovery
Adversaries may attempt to get information about running processes on a system.
T1049 System Network Connections Discovery Discovery
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
T1609 Container Administration Command Execution
Adversaries may abuse a container administration service to execute commands within a container.
Why these techniques?

Certificate verification bypass enables unauthorized remote access to 1Panel agent WebSocket interfaces for arbitrary Unix shell command execution (T1059.004), process discovery (T1057), network connections discovery (T1049), container administration commands (T1609), via exploitation of the public-facing web management application (T1190).

CVEs Like This One

CVE-2025-56413Same product: Fit2Cloud 1Panel
CVE-2026-23525Same product: Fit2Cloud 1Panel
CVE-2026-32622Same vendor: Fit2Cloud
CVE-2025-61489Shared CWE-77
CVE-2026-33324Same vendor: Fit2Cloud
CVE-2025-66404Shared CWE-77
CVE-2026-32950Same vendor: Fit2Cloud
CVE-2025-70981Same vendor: Fit2Cloud
CVE-2026-30624Shared CWE-77
CVE-2025-61492Shared CWE-77

Affected Assets

fit2cloud
1panel
≤ 2.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic mechanisms to validate certificates during HTTPS communication, directly mitigating the incomplete certificate verification that enables unauthorized access.

prevent

Mandates cryptographic mechanisms for transmission confidentiality and integrity, ensuring proper TLS implementation that includes certificate validation to block unauthorized interface access.

prevent

Establishes a risk-based process to identify, prioritize, and remediate flaws like incomplete certificate verification, preventing RCE exploitation through timely patching.

References