What is the CVSS score of EUVD-2025-209736?

EUVD-2025-209736 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 6.2%.

Which versions of Control Web Panel are affected by EUVD-2025-209736?

CVE-2025-67888 is a remote command injection vulnerability in Control Web Panel that allows unauthenticated attackers to execute arbitrary commands as root if Softaculous or SitePad components are…

Control Web Panel EUVD-2025-209736

Q: How to fix or mitigate EUVD-2025-209736?

Within 24 hours: Inventory all Control Web Panel installations and identify those with Softaculous or SitePad components enabled; isolate affected systems from production networks if feasible. Within 7 days: Apply network-level access controls to restrict Control Web Panel administrative interfaces to trusted IP ranges only; implement Web Application Firewall (WAF) rules to block malicious GET parameter payloads targeting known injection vectors. Within 30 days: Contact Control Web Panel vendor for patch availability and timeline; evaluate alternative control panel solutions if vendor patch is not released; conduct forensic audit of all affected systems for unauthorized access or command execution.

| CVE-2025-67888 HIGH

OS Command Injection (CWE-78)

2026-05-08 mitre

GHSA-6q25-xprm-2cg4

PHP Command Injection

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

May 08, 2026 - 15:23 vuln.today

CVSS changed

May 08, 2026 - 15:22 NVD

7.3 (HIGH)

CVE Published

May 08, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

CVE Published

May 08, 2026 - 00:00 nvd

HIGH 7.3

DescriptionNVD

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.

AnalysisAI

Remote command injection in Control Web Panel allows unauthenticated attackers to execute arbitrary OS commands as root through unsanitized GET parameter. Exploitation requires Softaculous or SitePad components to be installed. Despite critical impact (root RCE), EPSS score of 6.16% (91st percentile) suggests selective targeting rather than mass exploitation, though technical barrier is low (AC:L). Public exploit code exists via Karma Insecurity disclosure and FullDisclosure mailing list, significantly increasing attack surface.

Technical ContextAI

Control Web Panel (CWP) is a web hosting control panel for Linux servers. The vulnerability stems from CWE-78 (OS Command Injection) in the admin API endpoint at /admin/index.php. When the 'api' parameter is set, user-supplied input from the 'key' GET parameter is passed directly to OS command execution functions without sanitization or validation. The application runs with elevated privileges, causing injected commands to execute with root permissions. The attack surface is conditional on the presence of Softaculous (auto-installer for web applications) or SitePad (website builder) extensions, which are optional CWP components that expose or enable the vulnerable API endpoint. This is a classic untrusted input validation failure in a privileged web application context.

RemediationAI

Upgrade Control Web Panel to version 0.9.8.1209 or later immediately per vendor security instructions at https://wiki.centos-webpanel.com/cwp-security-instructions. For environments unable to patch immediately, disable or remove Softaculous and SitePad extensions to eliminate the attack surface, though this removes functionality customers may depend on for application installation and website building. Implement web application firewall (WAF) rules to block requests to /admin/index.php with 'api' and 'key' parameters from untrusted sources, but note that WAF bypass techniques exist for command injection. Restrict network access to CWP admin panel (typically port 2030/2031) to trusted IP addresses via firewall rules - this provides defense-in-depth but reduces remote management capability. Monitor system logs for unexpected command execution originating from web server processes and review audit logs for suspicious API calls with command injection patterns in GET parameters.

EUVD-2025-209736 vulnerability details – vuln.today

Back