cbcvebase.
CVE-2023-35885
published 2023-06-20

CVE-2023-35885: CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.31%
99.5th percentile
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
mgt-commercecloudpanel>= 2.0.0 < 2.3.12.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/file-manager/backend/permissions
cookieclp-fm=<session>
url/file-manager/backend/makefile
url/file-manager/backend/text
commandid=/htdocs/app/files/public/<filename>.php&permissions=0777
path/htdocs/app/files/public/
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Creation (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/makefile"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"name|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056090; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/text"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"content|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056091; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication File Permission Modification (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/permissions"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"permissions|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056092; rev:1;)
  • Exploit targets three distinct file-manager backend endpoints via POST with the `clp-fm` cookie present: /file-manager/backend/makefile (file creation), /file-manager/backend/text (content upload/webshell write), and /file-manager/backend/permissions (chmod 0777). Monitor for all three in sequence as a kill-chain.
  • POST body to /file-manager/backend/permissions contains `id=/<absolute_path>` and `permissions=0777`, indicating an attacker is making a dropped file world-executable. Alert on chmod 0777 applied to files under web-accessible directories.
  • The exploit drops a PHP webshell under the public web root. Verify exploitation by issuing a GET request to the newly created PHP file and checking for dynamic output (e.g., md5 hash of a string in the response body).
  • The `clp-fm` cookie is used without proper authentication validation. Any HTTP request carrying `clp-fm=` to the file-manager backend endpoints should be treated as suspicious and investigated.
  • Content-Type is always `application/x-www-form-urlencoded` and the request body begins with `id=/` (absolute path). This combination on file-manager endpoints is a strong exploit indicator.
  • ·Snort/Suricata rules (SIDs 2056090–2056092) are marked `tls_state plaintext`, meaning they will NOT fire on TLS-encrypted traffic. If CloudPanel is deployed behind HTTPS without TLS inspection, these rules will miss the exploit.
  • ·Rules are scoped to `$HOME_NET` as the destination. Ensure $HOME_NET is correctly defined to include all CloudPanel server IPs, otherwise rules will not match.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.