CVE-2025-32778

CRITICAL EXPLOITED NUCLEI

Lissy93/web-check < 2.0.1 - OS Command Injection via Screenshot API URL Parameter

Title source: llm

Exploitation Summary

CVE-2025-32778 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including 00xCanelo, including a Metasploit module exploits/multi/http/web_check_screenshot_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional Python exploit for CVE-2025-32778, a command injection vulnerability in the Web-Check OSINT tool. It allows unauthenticated attackers to execute arbitrary commands via the `url` parameter in the screenshot API, supporting both reverse shells and custom shell payloads.

Description

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

Exploits (2)

nomisec WORKING POC 3 stars

by 00xCanelo · remote

https://github.com/00xCanelo/CVE-2025-32778

View Code ZIP pw:eip

This is a functional Python exploit for CVE-2025-32778, a command injection vulnerability in the Web-Check OSINT tool. It allows unauthenticated attackers to execute arbitrary commands via the `url` parameter in the screenshot API, supporting both reverse shells and custom shell payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Web-Check OSINT tool (version not specified)

No auth needed

Prerequisites: Python 3.x · requests library · target URL with vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/web_check_screenshot_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Web-Check's `/api/screenshot` endpoint by injecting commands via URL query parameters. It uses timing-based checks to confirm vulnerability and delivers a payload for remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Web-Check (versions prior to commit 0e4958aa10b2650d32439a799f6fc83a7cd46cef)

No auth needed

Prerequisites: Network access to the target's Web-Check instance · Target running a vulnerable version of Web-Check

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Web-Check < 2.0.1 Screenshot API - OS Command Injection

CRITICALVERIFIEDby gugacyber

Shodan: http.title:"Web-Check"

FOFA: title="Web-Check"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Lissy93/web-check/security/advisories/GHSA-5qg5-g7c2-pfx8

Issue Tracking x_refsource_misc

https://github.com/Lissy93/web-check/pull/243

Patch x_refsource_misc

https://github.com/Lissy93/web-check/commit/0e4958aa10b2650d32439a799f6fc83a7cd46cef

View Patch ZIP pw:eip

Scores

CVSS v4 9.3

EPSS 0.4472

EPSS Percentile 97.7%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-12-19

CWE

CWE-78

Status published

Products (1)

Lissy93/web-check < 2.0.1

Published Apr 15, 2025

Tracked Since Feb 18, 2026