CVE-2021-37840

HIGH

aaPanel <= 6.8.12 - Cross-Site WebSocket Hijacking via /webssh Terminal

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-37840. PoCs published by EonSecurity.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-37840, demonstrating a WebSocket CSRF bypass in aaPanel that leads to remote code execution. The exploit leverages an incomplete fix where WebSocket endpoints accept connections before authentication and the CSRF token check can be bypassed.

Description

aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential victim (e.g., exploitation can occur with Firefox but not Chrome).

Exploits (1)

nomisec WORKING POC

by EonSecurity · poc

https://github.com/EonSecurity/aapanel-ws-bypass

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-37840, demonstrating a WebSocket CSRF bypass in aaPanel that leads to remote code execution. The exploit leverages an incomplete fix where WebSocket endpoints accept connections before authentication and the CSRF token check can be bypassed.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: aaPanel (versions 6.8.12 through 8.10.0)

Auth required

Prerequisites: Victim must be logged into aaPanel · WebSocket endpoint must be accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 23, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/aaPanel/aaPanel/issues/74

Exploit, Third Party Advisory x_refsource_misc

https://ssd-disclosure.com/ssd-advisory-aapanel-cswh-to-rce/

Scores

CVSS v3 8.8

EPSS 0.0166

EPSS Percentile 73.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Status published

Products (1)

aapanel/aapanel < 6.8.12

Published Aug 02, 2021

Tracked Since Feb 18, 2026