CVE-2023-35885

CRITICAL EXPLOITED IN THE WILD NUCLEI

CloudPanel 2.0.0-2.3.0 - Unauthenticated Remote Code Execution via File Manager Cookie

Title source: llm

Exploitation Summary

CVE-2023-35885 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including datackmy, Chocapikk. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a working exploit for CVE-2023-35885, targeting CloudPanel versions 2.0.0 to 2.3.0. The exploit leverages a deserialization vulnerability to upload a webshell and execute commands, ultimately adding a sudo-privileged user.

Description

CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

Exploits (2)

nomisec WORKING POC 56 stars

by datackmy · remote

https://github.com/datackmy/FallingSkies-CVE-2023-35885

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2023-35885, targeting CloudPanel versions 2.0.0 to 2.3.0. The exploit leverages a deserialization vulnerability to upload a webshell and execute commands, ultimately adding a sudo-privileged user.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CloudPanel v2.0.0 - v2.3.0

No auth needed

Prerequisites: Network access to the target CloudPanel instance · PHP 8.1 installed locally for encryption

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by Chocapikk · remote

https://github.com/Chocapikk/CVE-2023-35885

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-35885, targeting CloudPanel 2 versions prior to 2.3.1. The exploit leverages insecure file-manager cookie authentication to achieve remote code execution (RCE) with root privileges by uploading a malicious PHP shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CloudPanel 2 < 2.3.1

No auth needed

Prerequisites: Network access to the target CloudPanel instance · File-manager endpoint accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cloudpanel 2 < 2.3.1 - Remote Code Execution

CRITICALVERIFIEDby DhiyaneshDk

Shodan: title:"Cloudpanel" || http.title:"cloudpanel" || http.favicon.hash:"151132309"

FOFA: icon_hash="151132309" || title="cloudpanel"

References (3)

Core 3

Core References

Exploit

https://github.com/datackmy/FallingSkies-CVE-2023-35885

Release Notes

https://www.cloudpanel.io/docs/v2/changelog/

Exploit

https://www.datack.my/fallingskies-cloudpanel-0-day/

Scores

CVSS v3 9.8

EPSS 0.9412

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-02-14

InTheWild.io 2024-09-18

CWE

CWE-565

Status published

Products (1)

mgt-commerce/cloudpanel 2.0.0 - 2.3.1

Published Jun 20, 2023

Tracked Since Feb 18, 2026