A critical vulnerability has been identified in multiple Ajenti products, specifically impacting version 2.1.36. This flaw allows a remote attacker who has successfully logged into the Ajenti panel to bypass security controls and execute arbitrary commands on the underlying server, potentially leading to a complete system compromise. Due to the high severity and potential for full remote control, immediate remediation is strongly advised.

This is a post-authentication command injection vulnerability. An attacker with valid credentials to the Ajenti web panel, regardless of their privilege level, can exploit a flaw in the terminal creation API endpoint (/api/terminal/create). By sending a specially crafted request to this endpoint, the attacker can inject and execute arbitrary system commands, such as launching a netcat reverse shell to gain interactive remote access to the server with the privileges of the Ajenti service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the extreme risk it poses to the organization. Successful exploitation could lead to a complete compromise of the affected server, granting the attacker full administrative control. The potential consequences include theft or destruction of sensitive data, deployment of ransomware, disruption of critical business services hosted on the server, and the ability for the attacker to use the compromised system as a pivot point for further attacks into the internal network.

Immediate Action: The primary remediation is to upgrade all vulnerable Ajenti instances to the latest patched version immediately. Consult the official Ajenti security advisory for specific version details and patching instructions. After patching, it is crucial to review server and application logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious POST requests to the /api/terminal/create endpoint. Network monitoring should be configured to detect and alert on unexpected outbound connections from the server hosting Ajenti, which could indicate a reverse shell. Host-based intrusion detection systems (HIDS) can also be used to monitor for unusual process execution or command-line activity originating from the Ajenti service.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict network access to the Ajenti web interface to only trusted IP addresses using a firewall.
• Place the Ajenti instance behind a Web Application Firewall (WAF) with rules designed to block malicious command injection payloads targeting the /api/terminal/create endpoint.
• If the terminal functionality is not required, disable the terminal plugin within Ajenti's configuration.

Public Exploit Available: True

Due to the critical severity (CVSS 9.8) and the potential for complete system compromise via remote code execution, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the patching of all affected Ajenti instances without delay. Although this CVE is not currently on the CISA KEV list, its public nature and severe impact mean it should be treated with the highest urgency, as if it were being actively exploited in the wild. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as an urgent interim measure.