A significant vulnerability has been detected in CloudPanel. The root cause is attributed to the default secret keys’ usage and the default user being set as “clp”.

Vulnerability Description:

1. No Session Authentication: CloudPanel’s file manager doesn’t enforce session authentication, resulting in a broken access control mechanism.
   
2. Cookie Manipulation: The vulnerability can be exploited when the encrypted value of the cookie named “clp-fm” is set using the default secret key. Upon decryption, this cookie’s value is a serialized string.
   
3. PHP Object Injection: Attackers can manipulate this decrypted serialized string to reset the user value to the default “clp”. Combined with PHP Object Injection, this can lead to more severe attacks.
   
4. Elevated Access: The vulnerability allows attackers to gain unrestricted access to the file manager, where they can then upload malicious files to the main CloudPanel directory.
   
5. Privilege Escalation: The default “clp” user possesses ‘sudo nopasswd’ rights, leading to a potential privilege escalation.
   

Technical Flow of the attack:

• The component /home/clp/htdocs/app/files/public/file-manager/backend.php receives the encrypted “clp-fm” cookie value.
  
• Post decryption, the value is deserialized. Exploiting this step gives attackers opportunities for post-exploitation, such as Remote Code Execution and Local File Disclosures.
  
• The deserialized value is utilized as an object – specifically to pass the ‘user’ value to the variable $user.
  
• Authentication to the file manager merely requires the “clp-fm” cookie. Once the decrypted cookie is passed, it provides backend unrestricted access. From here, the attacker can gain “clp” user rights, which essentially means root access.
  

In conclusion, the use of default configurations, the lack of session authentication, and the capability to inject PHP objects cumulatively pose a severe threat, enabling attackers to gain root access in systems using CloudPanel.