CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
The National Vulnerability Database highlights CVE-2021-47949, a critical command execution vulnerability in CyberPanel 2.1. This flaw allows authenticated attackers to exploit symlink attacks through the /filemanager/controller endpoint. By manipulating the completeStartingPath parameter in POST requests, attackers can create symbolic links to sensitive files.
This vulnerability, with a CVSS score of 8.8 (HIGH), enables threat actors to read arbitrary files, including database credentials, and execute remote code. The National Vulnerability Database specifies that arbitrary shell commands can be executed via the /websites/fetchFolderDetails endpoint, making this a severe issue for affected instances. The underlying weakness is identified as CWE-59 (Improper Link Resolution).
Organizations running CyberPanel 2.1 are at significant risk. An attacker with authenticated access can leverage this to gain full system control, exfiltrate data, or deploy further malicious payloads. This isn’t theoretical; it’s a direct path to compromise if not addressed.
What This Means For You
- If your organization uses CyberPanel 2.1, you need to immediately patch to a secure version. Audit your file system for any unauthorized symbolic links or suspicious file access attempts, especially around sensitive configuration files and user directories.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47949 - CyberPanel File Manager Symlink Attack
title: CVE-2021-47949 - CyberPanel File Manager Symlink Attack
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2021-47949 by targeting the CyberPanel file manager controller endpoint. This vulnerability allows authenticated attackers to create symbolic links, potentially leading to arbitrary file reads and remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47949/
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/filemanager/controller'
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47949 | RCE | CyberPanel 2.1 |
| CVE-2021-47949 | Command Injection | filemanager controller endpoint |
| CVE-2021-47949 | Path Traversal | symlink attacks via completeStartingPath parameter in POST requests to /filemanager/controller |
| CVE-2021-47949 | Information Disclosure | read sensitive files like database credentials |
| CVE-2021-47949 | Command Injection | execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...
WordPress Plugin Survey & Poll SQLi Puts Data at Risk
CVE-2021-47941 — WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious...