module
Control Web Panel /admin/index.php Unauthenticated RCE
| Disclosed |
|---|
| Dec 16, 2025 |
Disclosed
Dec 16, 2025
Description
Control Web Panel (CWP) versions unauthenticated OS command injection. User input passed via the
"key" GET parameter to /admin/index.php (when the "api" parameter is set)
is not properly sanitized before being used to execute OS commands.
This can be exploited by unauthenticated attackers to inject and execute
arbitrary OS commands with the privileges of the root user on the web server.
Successful exploitation usually requires "Softaculous" and/or "SitePad"
to be installed through the Scripts Manager.
"key" GET parameter to /admin/index.php (when the "api" parameter is set)
is not properly sanitized before being used to execute OS commands.
This can be exploited by unauthenticated attackers to inject and execute
arbitrary OS commands with the privileges of the root user on the web server.
Successful exploitation usually requires "Softaculous" and/or "SitePad"
to be installed through the Scripts Manager.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.