Why 1Panel’s TLS Policy Lets Attackers Execute Remote Commands

Overview

1Panel is an open‑source Linux operations panel that provides a graphical interface for deploying websites, managing servers and running services.

Vulnerability

In versions prior to 2.0.6 the Agent component configures the TLS server with the Go TLS authentication policy tls.RequireAnyClientCert. This policy only requires the client to present a certificate but does not verify that the certificate chains to a trusted root. An attacker can generate a self‑signed certificate, set its Common Name (CN) to panel_client, and bypass the application‑level check that expects this CN. The forged certificate can then be used to call the Agent’s command‑execution APIs without authorization, resulting in remote code execution (RCE).

Technical Details

TLS policy before fix: tls.RequireAnyClientCert Required condition for exploit: client presents any certificate; no verification of trust anchor.

Attack steps:

Generate a self‑signed X.509 certificate with CN=panel_client.

Connect to the Agent’s TLS endpoint using the forged certificate.

Invoke the privileged API endpoint (e.g., /api/exec) that assumes the client is trusted based on the CN.

Execute arbitrary shell commands on the server.

Impact

The vulnerability allows unauthenticated attackers to execute arbitrary commands with the privileges of the 1Panel Agent process, potentially compromising the entire host.

Fix

The remediation changes the TLS configuration to tls.RequireAndVerifyClientCert and loads a root CA certificate as a trust anchor. This forces the server to verify that the client certificate is signed by a trusted CA before accepting the connection.

Upgrade the 1Panel component to version 2.0.6 or later.

Identifiers

Name: 1Panel Agent Certificate Verification Bypass Leading to Arbitrary Command Execution

Type: Improper Certificate Validation

Discovery date: 2025‑08‑01

CVE: CVE‑2025‑54424

MPS ID: MPS‑hkm8‑970s

Reference

https://www.oscs1024.com/hd/MPS-hkm8-970s