CVE-2013-10053

HIGH

ZPanel < 10.0.0.2 - Authenticated Remote Code Execution via htpasswd Module Username Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-10053. PoCs published by shachibista, sinn3r, including Metasploit module exploits/unix/webapp/zpanel_username_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in ZPanel's htpasswd module, allowing authenticated users to execute arbitrary system commands via the username field. The exploit leverages CSRF token handling and session management to authenticate and inject the payload.

Description

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges.

Exploits (1)

metasploit WORKING POC EXCELLENT

by shachibista, sinn3r · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/zpanel_username_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in ZPanel's htpasswd module, allowing authenticated users to execute arbitrary system commands via the username field. The exploit leverages CSRF token handling and session management to authenticate and inject the payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZPanel 10.0.0.2

Auth required

Prerequisites: Valid ZPanel credentials · Access to the htpasswd module

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/zpanel_username_exec.rb

Various Sources

https://web.archive.org/web/20130617014355/http://forums.zpanelcp.com/showthread.php?27898-Serious-Remote-Execution-Exploit-in-Zpanel-10-0-0-2

Various Sources product

https://github.com/zpanel/zpanelx

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/zpanel-htpasswd-module-username-command-execution

Scores

CVSS v4 8.7

EPSS 0.0103

EPSS Percentile 59.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

ZPanel Project/ZPanel < 10.0.0.2

Published Aug 01, 2025

Tracked Since Feb 18, 2026