CVE-2025-67888 Overview
CVE-2025-67888 is an unauthenticated OS command injection vulnerability in Control Web Panel (CWP) versions before 0.9.8.1209. The flaw resides in /admin/index.php, where the key GET parameter is not sanitized before being passed to OS command execution when the api parameter is set. Attackers can inject arbitrary shell commands that execute with root privileges on the underlying web server. Exploitation requires that either Softaculous or SitePad be installed on the target host. The issue is tracked under CWE-78 and has an EPSS percentile of 96.4, indicating elevated exploitation likelihood.
Critical Impact
Unauthenticated remote attackers can execute arbitrary OS commands as root on affected CWP servers, leading to full server compromise.
Affected Products
- Control Web Panel (CWP) versions prior to 0.9.8.1209
- CWP installations with Softaculous installed
- CWP installations with SitePad installed
Discovery Timeline
- 2026-05-08 - CVE-2025-67888 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2025-67888
Vulnerability Analysis
The vulnerability is an OS command injection flaw [CWE-78] in the administrative endpoint of Control Web Panel. When a request reaches /admin/index.php with the api parameter set, the application reads the key GET parameter and incorporates its value into a shell command without proper sanitization or escaping. This allows shell metacharacters in the key value to break out of the intended command context and append attacker-controlled commands.
Because the CWP cwpsrv web server runs with elevated privileges, injected commands execute as root. The endpoint does not require authentication when handling the affected API path, so any attacker capable of reaching the CWP administrative interface over the network can trigger the flaw. Exploitation is contingent on the presence of Softaculous or SitePad components, which expose the vulnerable code path.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. User-supplied input from the key query parameter is concatenated into a command string passed to a system shell. The absence of input validation, allowlisting, or use of safe parameterized execution APIs allows shell metacharacters such as backticks, semicolons, pipes, and $() to alter the command structure.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the CWP admin interface, typically on the default CWP ports, with the api parameter set and a malicious payload in the key parameter. The vulnerable handler executes the injected command as root, returning output or establishing persistence such as a reverse shell, credential exfiltration, or web shell deployment. Refer to the Karma Insecurity Advisory KIS-2025-09 and the Full Disclosure mailing list post for technical proof-of-concept details.
Detection Methods for CVE-2025-67888
Indicators of Compromise
- HTTP requests to /admin/index.php containing both an api parameter and a key parameter with shell metacharacters such as ;, |, `, $(, or URL-encoded equivalents.
- Unexpected child processes spawned by the CWP web server user, including sh, bash, wget, curl, nc, or python invoked from cwpsrv or PHP worker contexts.
- New cron entries, SSH authorized keys, or files written into /tmp, /var/tmp, or web roots shortly after suspicious requests to the admin endpoint.
- Outbound connections from the CWP host to unfamiliar IP addresses following requests to /admin/index.php?api=....
Detection Strategies
- Inspect web server access logs for requests to /admin/index.php carrying the api parameter together with key values containing shell metacharacters or URL-encoded command separators.
- Correlate web request events with process creation telemetry to flag PHP or cwpsrv processes spawning shell interpreters or networking utilities.
- Deploy WAF or reverse proxy rules to alert on or block requests matching the vulnerable parameter pattern.
Monitoring Recommendations
- Enable command-line auditing through auditd on CWP hosts and forward events to a central log platform for analysis.
- Monitor file integrity on /etc/crontab, /etc/cron.d/, ~/.ssh/authorized_keys, and the CWP web root for unauthorized changes.
- Alert on root-owned processes initiating outbound network connections from the CWP server.
How to Mitigate CVE-2025-67888
Immediate Actions Required
- Upgrade Control Web Panel to version 0.9.8.1209 or later on all affected hosts as the primary remediation.
- Restrict network access to the CWP administrative interface using firewall rules that permit only trusted management IP ranges.
- Audit CWP servers for signs of prior exploitation, including unexpected root-owned processes, new accounts, and modified web content.
Patch Information
Control Web Panel addressed this vulnerability in version 0.9.8.1209. Administrators should follow the upgrade procedures documented in the CentOS WebPanel security instructions. After patching, verify the installed version through the CWP admin console or via the local version file.
Workarounds
- If immediate patching is not feasible, block external access to /admin/index.php at the perimeter and limit access to a management VPN.
- Where Softaculous or SitePad are not required, uninstall these components to remove the vulnerable code path.
- Deploy a WAF rule that rejects requests to /admin/index.php containing both api and key parameters with shell metacharacters.
# Example WAF/nginx rule to block exploitation patterns until patched
location = /admin/index.php {
if ($args ~* "api=.*key=.*[;|`$()&]") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
