📄 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895

Description

Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to /admin/index.php when the api parameter is set is not properly sanitized before being used to execute OS commands. This can be...

Visit Original Source

Basic Information

ID PACKETSTORM:212895

Published Dec 16, 2025 at 00:00

Affected Product

Affected Versions ------------------------------------------------------------------------------------
Control Web Panel <= 0.9.8.1208 (admin/index.php) OS Command Injection
Vulnerability
------------------------------------------------------------------------------------

[-] Software Link:

https://control-webpanel.com

[-] Affected Versions:

Version 0.9.8.1208 and prior versions.

[-] Vulnerability Description:

User input passed via the "key" GET parameter to /admin/index.php
(when the "api" parameter is set) is not properly sanitized before
being used to execute OS commands. This can be exploited by
unauthenticated attackers to inject and execute arbitrary OS commands
with the privileges of the root user on the web server.

Successful exploitation of this vulnerability requires "Softaculous"
and/or "SitePad" to be installed through the Scripts Manager.

[-] Proof of Concept:

https://[CWP]/admin/index.php?api=1&key=$(cmd)

[-] Solution:

Upgrade to version 0.9.8.1209 or later.

[-] Disclosure Timeline:

[12/03/2025] - Vulnerability discovered
[22/07/2025] - Version 0.9.8.1209 released, issue fixed by the vendor
[12/11/2025] - CVE identifier requested
[12/12/2025] - CVE identifier assigned
[16/12/2025] - Public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures program (cve.org) has
assigned the name CVE-2025-67888 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

http://karmainsecurity.com/KIS-2025-09

{
    "lastseen": "2025-12-16T18:52:32",
    "description": "Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to /admin/index.php when the api parameter is set is not properly sanitized before being used to execute OS commands. This can be...",
    "published": "2025-12-16T00:00:00",
    "modified": "2025-12-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212895",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-67888"
    ],
    "sourceData": "------------------------------------------------------------------------------------\n    Control Web Panel <= 0.9.8.1208 (admin/index.php) OS Command Injection\n    Vulnerability\n    ------------------------------------------------------------------------------------\n    \n    \n    [-] Software Link:\n    \n    https://control-webpanel.com\n    \n    \n    [-] Affected Versions:\n    \n    Version 0.9.8.1208 and prior versions.\n    \n    \n    [-] Vulnerability Description:\n    \n    User input passed via the \"key\" GET parameter to /admin/index.php\n    (when the \"api\" parameter is set) is not properly sanitized before\n    being used to execute OS commands. This can be exploited by\n    unauthenticated attackers to inject and execute arbitrary OS commands\n    with the privileges of the root user on the web server.\n    \n    Successful exploitation of this vulnerability requires \"Softaculous\"\n    and/or \"SitePad\" to be installed through the Scripts Manager.\n    \n    \n    [-] Proof of Concept:\n    \n    https://[CWP]/admin/index.php?api=1&key=$(cmd)\n    \n    \n    [-] Solution:\n    \n    Upgrade to version 0.9.8.1209 or later.\n    \n    \n    [-] Disclosure Timeline:\n    \n    [12/03/2025] - Vulnerability discovered\n    [22/07/2025] - Version 0.9.8.1209 released, issue fixed by the vendor\n    [12/11/2025] - CVE identifier requested\n    [12/12/2025] - CVE identifier assigned\n    [16/12/2025] - Public disclosure\n    \n    \n    [-] CVE Reference:\n    \n    The Common Vulnerabilities and Exposures program (cve.org) has\n    assigned the name CVE-2025-67888 to this vulnerability.\n    \n    \n    [-] Credits:\n    \n    Vulnerability discovered by Egidio Romano.\n    \n    \n    [-] Original Advisory:\n    \n    http://karmainsecurity.com/KIS-2025-09",
    "sourceHref": "https://packetstorm.news/download/212895",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212895/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply