CVE-2025-54424

HIGH

1Panel < 2.0.6 - Remote Code Execution via Incomplete Certificate Verification

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-54424. PoCs published by Mr-xn, XiaomingX, hophtien.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-54424, which leverages a client certificate bypass vulnerability in 1Panel to achieve remote code execution (RCE) via WebSocket interaction. The exploit includes both scanning and interactive shell capabilities.

Description

1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot.

Exploits (4)

nomisec WORKING POC 57 stars

by Mr-xn · poc

https://github.com/Mr-xn/CVE-2025-54424

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-54424, which leverages a client certificate bypass vulnerability in 1Panel to achieve remote code execution (RCE) via WebSocket interaction. The exploit includes both scanning and interactive shell capabilities.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: 1Panel (version not specified)

No auth needed

Prerequisites: Network access to the target · Python environment with required libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-54424

View Code ZIP pw:eip

This repository contains a functional SQL injection exploit for WordPress Quiz Maker plugin (CVE-2025-10042). The Python script demonstrates time-based SQLi via crafted HTTP headers to extract admin credentials.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: WordPress site with vulnerable Quiz Maker plugin · accessible quiz page path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by hophtien · poc

https://github.com/hophtien/CVE-2025-54424

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-54424, which leverages a client certificate bypass vulnerability in 1Panel to achieve remote code execution (RCE) via WebSocket connections. The exploit dynamically generates a self-signed certificate with a specific Common Name (CN) to bypass authentication and establish an interactive shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: 1Panel (version not specified)

No auth needed

Prerequisites: Network access to the target 1Panel instance · Python environment with required libraries (requests, websocket-client, cryptography)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by anonnymous5 · poc

https://github.com/anonnymous5/1Panel-CVE-2025-54424-

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-54424, targeting a client certificate bypass vulnerability in 1Panel. The exploit dynamically generates a self-signed certificate to bypass authentication and establishes a WebSocket connection for remote command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: 1Panel

No auth needed

Prerequisites: Network access to the target · Python environment with required libraries

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-8j63-96wh-wh3j

Patch x_refsource_misc

https://github.com/1Panel-dev/1Panel/pull/9698/commits/4003284521f8d31ddaf7215d1c30ab8b4cdb0261

Release Notes x_refsource_misc

https://github.com/1Panel-dev/1Panel/releases/tag/v2.0.6

Scores

CVSS v3 8.1

EPSS 0.0119

EPSS Percentile 79.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (2)

1Panel-dev/1Panel 1.0.0 - 2.0.6Go

fit2cloud/1panel < 2.0.6

Published Aug 01, 2025

Tracked Since Feb 18, 2026