Feed | Moskic

6 days ago

I recently handled a security incident involving an old Nezha Dashboard instance.

The root cause was a critical Nezha vulnerability: GHSA-5c25-7vpj-9mqh. My dashboard was running v2.0.7, which was affected.

Attack flow:

1. Attacker accessed:


/dashboard../data/config.yaml

2. Dashboard config was exposed

3. JWT / agent secrets were leaked

4. Attacker forged admin access

5. Malicious cron jobs were created through Nezha

6. All connected agents started scanning servers for secrets

7. Results were sent to external webhook endpoints

Suspicious commands looked like:


grep -rn 'AKIA|sk-ant|sk-proj|AIzaSy|github_pat_' /root /home /opt /etc /app /var /data /tmp

curl http://169.254.169.254/...

Impact:

• Nezha JWT and agent secrets should be considered leaked
• All connected nodes should be treated as exposed
• Any API keys, cloud credentials, SSH keys, TLS keys, or tokens on those servers should be rotated

Recommendations:

• Upgrade Nezha immediately, at least to v2.0.13+
• Stop all old agents
• Re-register every node with new secrets
• Do not reuse old config.yaml, SQLite DB, agent secret, or UUIDs
• Do not expose the dashboard directly to the public Internet
• Rotate passwords, SSH keys, API tokens, and TLS certificates

Lesson learned:

A monitoring dashboard with remote command execution is not “just a dashboard”. Treat it like critical infrastructure.