CVE-2025-54424

HIGH

Fit2cloud 1panel < 2.0.6 - Command Injection

Title source: rule

Description

1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot.

Exploits (4)

nomisec WORKING POC 57 stars

by Mr-xn · poc

https://github.com/Mr-xn/CVE-2025-54424

View Code ZIP pw:eip

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-54424

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by hophtien · poc

https://github.com/hophtien/CVE-2025-54424

View Code ZIP pw:eip

nomisec WORKING POC

by anonnymous5 · poc

https://github.com/anonnymous5/1Panel-CVE-2025-54424-

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/1Panel-dev/1Panel/pull/9698/commits/4003284521f8d31ddaf7215d1c30ab8b4cdb0261

[Release Notes] https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.6

[Exploit, Third Party Advisory] https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-8j63-96wh-wh3j

Scores

CVSS v3 8.1

EPSS 0.0054

EPSS Percentile 67.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (2)

1Panel-dev/1Panel 1.0.0 - 2.0.6Go

fit2cloud/1panel < 2.0.6

Published Aug 01, 2025

Tracked Since Feb 18, 2026