module
Control Web Panel /admin/index.php Unauthenticated RCE
| Disclosed | Created |
|---|---|
| Dec 16, 2025 | Jan 14, 2026 |
Disclosed
Dec 16, 2025
Created
Jan 14, 2026
Description
Control Web Panel (CWP) versions unauthenticated OS command injection. User input passed via the
"key" GET parameter to /admin/index.php (when the "api" parameter is set)
is not properly sanitized before being used to execute OS commands.
This can be exploited by unauthenticated attackers to inject and execute
arbitrary OS commands with the privileges of the root user on the web server.
Successful exploitation usually requires "Softaculous" and/or "SitePad"
to be installed through the Scripts Manager.
"key" GET parameter to /admin/index.php (when the "api" parameter is set)
is not properly sanitized before being used to execute OS commands.
This can be exploited by unauthenticated attackers to inject and execute
arbitrary OS commands with the privileges of the root user on the web server.
Successful exploitation usually requires "Softaculous" and/or "SitePad"
to be installed through the Scripts Manager.
Authors
Lukas Johannes Möller
Egidio Romano
Egidio Romano
Platform
Linux,Unix
Architectures
x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r, riscv32be, riscv32le, riscv64be, riscv64le, loongarch64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.