Home

Description

VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018.

PUBLISHED Reserved 2025-10-14 | Published 2025-10-15 | Updated 2025-10-15 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Problem types

CWE-506 Embedded Malicious Code

Product status

Default status
unaffected

commit a3f0fa1 (2018-05-31) before commit ee03eff (2018-06-13)
affected

Credits

Kaspersky Labs finder

References

www.welivesecurity.com/...ributed-servers-vestacp-installed/ technical-description

github.com/...ommit/ee03eff016e03cb76fac7ae3a0f9d1ef0f8ee35b patch

github.com/...ommit/a3f0fa1501d424477786e3e7150bb05c0b99518f exploit

forum.vestacp.com/viewtopic.php?f=10&t=17641&p=73282 issue-tracking

forum.vestacp.com/viewtopic.php?f=10&t=17641&start=180 vendor-advisory patch

vestacp.com/ product

github.com/outroll/vesta product

www.vulncheck.com/...icious-backdoor-supply-chain-compromise third-party-advisory

cve.org (CVE-2018-25117)

nvd.nist.gov (CVE-2018-25117)

Download JSON