HestiaCP 1.9.5 has released a critical update that addresses two significant vulnerabilities allowing unauthorized remote code execution and IP address spoofing, which have been actively targeted by automated attack scripts since mid-May. Although the official release notes do not mention these security fixes, it is imperative for server administrators to apply the update immediately to safeguard their systems. The vulnerabilities stem from a session deserialization flaw and improper handling of IP headers, which could allow attackers to gain root access without authentication. After updating, administrators should also purge old session files and review authentication logs to detect any potential compromises that may have occurred prior to the patch

HestiaCP 1.9.5 Update Fixes Critical RCE and IP Spoofing Flaws

HestiaCP 1.9.5 delivers a critical patch that closes two severe vulnerabilities allowing unauthenticated remote code execution and IP address spoofing. Automated attack scripts have already been targeting these flaws since mid-May, making immediate action essential for any live server. Although the official release notes quietly skip mentioning the security fixes, upgrading is non-negotiable to prevent full system compromise. After applying the update, administrators should purge old session files and audit authentication logs to ensure no malicious activity slipped through before the patch went live.

HestiaCP 1.9.5 Update Fixes Critical RCE and IP Spoofing Flaws @ Linux Compatible