{"id":31417,"date":"2025-12-16T13:38:18","date_gmt":"2025-12-16T13:38:18","guid":{"rendered":"http:\/\/localhost\/?p=31417"},"modified":"2025-12-16T13:38:18","modified_gmt":"2025-12-16T13:38:18","slug":"control-web-panel-0981208-command-injection","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=31417","title":{"rendered":"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895"},"content":{"rendered":"

{“lastseen”:”2025-12-16T18:52:32″,”description”:”Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to \/admin\/index.php when the api parameter is set is not properly sanitized before being used to execute OS commands. This can be…”,”published”:”2025-12-16T00:00:00″,”modified”:”2025-12-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212895″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67888″],”sourceData”:”————————————————————————————\\n Control Web Panel \\u003c= 0.9.8.1208 (admin\/index.php) OS Command Injection\\n Vulnerability\\n ————————————————————————————\\n \\n \\n [-] Software Link:\\n \\n https:\/\/control-webpanel.com\\n \\n \\n [-] Affected Versions:\\n \\n Version 0.9.8.1208 and prior versions.\\n \\n \\n [-] Vulnerability Description:\\n \\n User input passed via the \\”key\\” GET parameter to \/admin\/index.php\\n (when the \\”api\\” parameter is set) is not properly sanitized before\\n being used to execute OS commands. This can be exploited by\\n unauthenticated attackers to inject and execute arbitrary OS commands\\n with the privileges of the root user on the web server.\\n \\n Successful exploitation of this vulnerability requires \\”Softaculous\\”\\n and\/or \\”SitePad\\” to be installed through the Scripts Manager.\\n \\n \\n [-] Proof of Concept:\\n \\n https:\/\/[CWP]\/admin\/index.php?api=1\\u0026key=$(cmd)\\n \\n \\n [-] Solution:\\n \\n Upgrade to version 0.9.8.1209 or later.\\n \\n \\n [-] Disclosure Timeline:\\n \\n [12\/03\/2025] – Vulnerability discovered\\n [22\/07\/2025] – Version 0.9.8.1209 released, issue fixed by the vendor\\n [12\/11\/2025] – CVE identifier requested\\n [12\/12\/2025] – CVE identifier assigned\\n [16\/12\/2025] – Public disclosure\\n \\n \\n [-] CVE Reference:\\n \\n The Common Vulnerabilities and Exposures program (cve.org) has\\n assigned the name CVE-2025-67888 to this vulnerability.\\n \\n \\n [-] Credits:\\n \\n Vulnerability discovered by Egidio Romano.\\n \\n \\n [-] Original Advisory:\\n \\n http:\/\/karmainsecurity.com\/KIS-2025-09″,”sourceHref”:”https:\/\/packetstorm.news\/download\/212895″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212895\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-16T18:52:32″,”description”:”Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to \/admin\/index.php when the api…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-31417","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=31417\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-16T18:52:32″,”description”:”Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to \/admin\/index.php when the api...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=31417\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-16T13:38:18+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895\",\"datePublished\":\"2025-12-16T13:38:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417\"},\"wordCount\":389,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=31417#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417\",\"name\":\"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-16T13:38:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=31417\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=31417#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=31417","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895 - zero redgem","og_description":"{“lastseen”:”2025-12-16T18:52:32″,”description”:”Control Web Panel versions 0.9.8.1208 and below suffer from an issue where user input passed via the key GET parameter to \/admin\/index.php when the api...","og_url":"https:\/\/zero.redgem.net\/?p=31417","og_site_name":"zero redgem","article_published_time":"2025-12-16T13:38:18+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=31417#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=31417"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895","datePublished":"2025-12-16T13:38:18+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=31417"},"wordCount":389,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=31417#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=31417","url":"https:\/\/zero.redgem.net\/?p=31417","name":"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-16T13:38:18+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=31417#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=31417"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=31417#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Control Web Panel 0.9.8.1208 Command Injection_PACKETSTORM:212895"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/31417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=31417"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/31417\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=31417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=31417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=31417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}