Exploitation Summary
EIP tracks 2 public exploits for CVE-2025-67888.
PoCs published by reewardius, Lukas Johannes Möller, Egidio Romano, including Metasploit module exploits/linux/http/control_web_panel_api_cmd_exec.
AI-analyzed exploit summary The repository provides a functional proof-of-concept for an OS command injection vulnerability in Control Web Panel (CWP) versions <= 0.9.8.1208. The exploit leverages unsanitized input via the 'key' GET parameter in '/admin/index.php' when the 'api' parameter is set, allowing unauthenticated attackers to execute arbitrary commands with root privileges.
Description
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
Exploits (2)
The repository provides a functional proof-of-concept for an OS command injection vulnerability in Control Web Panel (CWP) versions <= 0.9.8.1208. The exploit leverages unsanitized input via the 'key' GET parameter in '/admin/index.php' when the 'api' parameter is set, allowing unauthenticated attackers to execute arbitrary commands with root privileges.
This Metasploit module exploits an unauthenticated command injection vulnerability in Control Web Panel (CWP) via the 'key' parameter in /admin/index.php when 'api' is set. It supports both direct command execution and staged payload delivery.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L