Threat Advisory

Froxlor Vulnerability Enables Remote Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Froxlor 2.3.6, an open‑source hosting control panel. The issues include a privilege‑escalation flaw that allows a malicious customer to gain root SSH access via a symlinked authorized_keys file, and an authorization bypass that lets customers assign arbitrary shells to FTP accounts, potentially granting them full system login. Both vulnerabilities stem from improper validation of file paths and shell parameters, enabling attackers with a compromised customer account to elevate privileges and bypass intended security controls. The business risk includes total loss of confidentiality, integrity, and availability of hosted services, as attackers could obtain unrestricted control over the server and all tenant data.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Froxlor 2.3.6, an open‑source hosting control panel. The issues include a privilege‑escalation flaw that allows a malicious customer to gain root SSH access via a symlinked authorized_keys file, and an authorization bypass that lets customers assign arbitrary shells to FTP accounts, potentially granting them full system login. Both vulnerabilities stem from improper validation of file paths and shell parameters, enabling attackers with a compromised customer account to elevate privileges and bypass intended security controls. The business risk includes total loss of confidentiality, integrity, and availability of hosted services, as attackers could obtain unrestricted control over the server and all tenant data.[emaillocker id="1283"]

  • CVE-2026-41236 – A symlink-following flaw in the SSH key synchronization routine allows a customer with shell access to replace their ~/.ssh/authorized_keys with a symlink to /root/.ssh/authorized_keys; when the privileged cron task runs, the attacker‑supplied key is appended to root’s authorized_keys, granting full root SSH access. Exploitation requires an authenticated customer account with shell_enabled and write access to their home directory.
  • CVE-2026-41235 with a CVSS score of 8.8 – An authorization bypass in the FTP shell assignment lets a customer bypass the configured system.available_shells whitelist and set an arbitrary login shell such as /bin/bash for an FTP user; the root‑owned cron later writes this shell into the system passwd file, providing the attacker with direct shell access to the host. Exploitation requires a legitimate customer account with shell delegation enabled.

These vulnerabilities give a malicious customer a direct path to full system compromise, bypassing existing isolation between tenant and host. Immediate attention is required because exploitation can be performed remotely once a customer account is compromised, leading to loss of data, service disruption, and reputational damage. The combined risk is high, as successful attacks result in unrestricted root control over the hosting environment.

RECOMMENDATION:

  • We recommend you to update Froxlor to version 2.3.7.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-mq5v-pxpm-8jw2
https://github.com/advisories/GHSA-gcv3-5v9q-fmhh

[/emaillocker]
crossmenu