CVE-2025-67888
Command Injection in Control Web Panel
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| control_web_panel | cwp | to 0.9.8.1208 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in Control Web Panel (CWP) affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in Control Web Panel (CWP) versions before 0.9.8.1209. It occurs because user input passed through the "key" GET parameter to the /admin/index.php file (when the "api" parameter is set) is not properly sanitized. This improper sanitization allows unauthenticated attackers to inject and execute arbitrary operating system commands on the web server.
Exploitation requires that either Softaculous or SitePad is installed via the Scripts Manager. When exploited, attackers can run OS commands with root privileges, which means they gain full control over the server.
How can this vulnerability impact me? :
If exploited, this vulnerability allows unauthenticated attackers to execute arbitrary OS commands with root privileges on the affected web server. This can lead to complete compromise of the server, including unauthorized access to sensitive data, modification or deletion of files, installation of malware, and disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Control Web Panel (CWP) version is 0.9.8.1208 or earlier and if Softaculous or SitePad is installed via the Scripts Manager.
To detect exploitation attempts, monitor web server logs for requests to /admin/index.php that include the "api" parameter set and a "key" GET parameter containing suspicious or command injection payloads.
You can use commands like the following to search for suspicious access patterns in your web server logs:
- grep -i '/admin/index.php' /var/log/apache2/access.log | grep 'api=' | grep 'key='
- grep -E 'key=.*(;|&&|\|\|)' /var/log/apache2/access.log
Additionally, you can scan your CWP version with commands like:
- rpm -qa | grep cwp
- cat /usr/local/cwp/version
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Control Web Panel (CWP) to version 0.9.8.1209 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, consider disabling or restricting access to /admin/index.php with the "api" parameter, especially if Softaculous or SitePad are installed.
Additional security measures include:
- Restricting web server access to trusted IP addresses for the admin panel.
- Implementing Web Application Firewall (WAF) rules to block suspicious requests containing command injection patterns.
- Following general CWP security best practices such as setting strict file permissions, disabling dangerous PHP functions, and using ModSecurity and FileSystemLock.
Regularly monitor logs for suspicious activity and maintain backups before applying updates.