PT-2026-54885 · Unknown · Control Web Panel
Egidio Romano
·
Published
2026-07-01
·
Updated
2026-07-03
·
CVE-2026-57517
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Control Web Panel versions prior to 0.9.8.1225
Description
An unauthenticated remote attacker can execute arbitrary SQL queries due to improper input validation and unsafe SQL query construction. This issue occurs at the 'user' endpoint through the
userRes POST parameter. Approximately 896,400 devices worldwide are potentially affected. By exploiting MySQL root privileges, an attacker can use the INTO DUMPFILE command to write a PHP webshell into the web-accessible Roundcube logs directory, resulting in remote code execution as the cwpsvc account and potential full server compromise.Recommendations
Upgrade to version 0.9.8.1225.
As a temporary mitigation, restrict access to the 'user' endpoint or avoid using the
userRes parameter until the update is applied.Exploit
Fix
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Control Web Panel