CVE-2023-35885
published 2023-06-20CVE-2023-35885: CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.31%
99.5th percentile
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mgt-commerce | cloudpanel | >= 2.0.0 < 2.3.1 | 2.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/file-manager/backend/permissions
cookieclp-fm=<session>
url/file-manager/backend/makefile
url/file-manager/backend/text
commandid=/htdocs/app/files/public/<filename>.php&permissions=0777
path/htdocs/app/files/public/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/makefile"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"name|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056090; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/text"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"content|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056091; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/permissions"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"permissions|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056092; rev:1;)
- →Exploit targets three distinct file-manager backend endpoints via POST with the `clp-fm` cookie present: /file-manager/backend/makefile (file creation), /file-manager/backend/text (content upload/webshell write), and /file-manager/backend/permissions (chmod 0777). Monitor for all three in sequence as a kill-chain.
- →POST body to /file-manager/backend/permissions contains `id=/<absolute_path>` and `permissions=0777`, indicating an attacker is making a dropped file world-executable. Alert on chmod 0777 applied to files under web-accessible directories.
- →The exploit drops a PHP webshell under the public web root. Verify exploitation by issuing a GET request to the newly created PHP file and checking for dynamic output (e.g., md5 hash of a string in the response body).
- →The `clp-fm` cookie is used without proper authentication validation. Any HTTP request carrying `clp-fm=` to the file-manager backend endpoints should be treated as suspicious and investigated.
- →Content-Type is always `application/x-www-form-urlencoded` and the request body begins with `id=/` (absolute path). This combination on file-manager endpoints is a strong exploit indicator.
- ·Snort/Suricata rules (SIDs 2056090–2056092) are marked `tls_state plaintext`, meaning they will NOT fire on TLS-encrypted traffic. If CloudPanel is deployed behind HTTPS without TLS inspection, these rules will miss the exploit.
- ·Rules are scoped to `$HOME_NET` as the destination. Ensure $HOME_NET is correctly defined to include all CloudPanel server IPs, otherwise rules will not match.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wmrx-g8f2-rgwh: CloudPanel 2 before 2
ghsa_unreviewed·2023-06-20
CVE-2023-35885 [CRITICAL] CWE-565 GHSA-wmrx-g8f2-rgwh: CloudPanel 2 before 2
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
VulnCheck
mgt-commerce cloudpanel Reliance on Cookies without Validation and Integrity Checking
vulncheck·2023·CVSS 9.8
CVE-2023-35885 [CRITICAL] mgt-commerce cloudpanel Reliance on Cookies without Validation and Integrity Checking
mgt-commerce cloudpanel Reliance on Cookies without Validation and Integrity Checking
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
Affected: mgt-commerce cloudpanel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-14&host_type=src&vulnerability=cve-2023-35885; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-15&host_type=src&vulnerability=cve-2023-35885; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-16&host_type=src&vulnerability=cve-2023-35885; https://dashboard.sha
Suricata
ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885)
suricata·2024-09-24·CVSS 9.8
CVE-2023-35885 [CRITICAL] ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885)
ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/makefile"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"name|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056090; rev:1; metadata:attack_target Server, tls_state plaintext, created_at 2024_09_24, cve CVE_2023_35885, deployment Perimeter
Suricata
ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)
suricata·2024-09-24·CVSS 9.8
CVE-2023-35885 [CRITICAL] ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)
ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/text"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"content|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056091; rev:1; metadata:attack_target Server, tls_state plaintext, created_at 2024_09_24, cve CVE_2023_35885, deployment Perimete
Suricata
ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885)
suricata·2024-09-24·CVSS 9.8
CVE-2023-35885 [CRITICAL] ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885)
ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/permissions"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"permissions|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056092; rev:1; metadata:attack_target Server, tls_state plaintext, created_at 2024_09_24,
Nuclei
Cloudpanel 2 < 2.3.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-35885 [CRITICAL] Cloudpanel 2 < 2.3.1 - Remote Code Execution
Cloudpanel 2
- |
POST /file-manager/backend/permissions HTTP/1.1
Host: {{Hostname}}
Cookie: clp-fm={{session}}
Content-Type: application/x-www-form-urlencoded
id=/htdocs/app/files/public/{{str1}}.php&permissions=0777
- |
GET /{{str1}}.php HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body_5
words:
- '{{md5(string)}}'
# digest: 490a00463044022029050df548594620337fb82a5523c2ccd3b3f55e7c5a6e7e41740e7f148d193602203d47844ccb146136285b9047ee3297895d8e5e5dcea79b470a3c062b0dfa7e4d:922c64590222798bb761d5b6d8e72950
https://github.com/datackmy/FallingSkies-CVE-2023-35885https://www.cloudpanel.io/docs/v2/changelog/https://www.datack.my/fallingskies-cloudpanel-0-day/https://github.com/datackmy/FallingSkies-CVE-2023-35885https://www.cloudpanel.io/docs/v2/changelog/https://www.datack.my/fallingskies-cloudpanel-0-day/
2023-06-20
Published
Exploited in the wild