CVE-2025-67888

Control Web Panel /admin/index.php Unauthenticated RCE

Description

Control Web Panel (CWP) versions <= 0.9.8.1208 are vulnerable to unauthenticated OS command injection. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of the root user on the web server. Successful exploitation usually requires "Softaculous" and/or "SitePad" to be installed through the Scripts Manager.

Exploits (2)

github WORKING POC

by reewardius · poc

https://github.com/reewardius/CVE-2025-67888

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Lukas Johannes Möller, Egidio Romano · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/control_web_panel_api_cmd_exec.rb

View Code ZIP pw:eip

Details

Status draft

Tracked Since Feb 18, 2026