One Username to Rule Them All: The Persistent RCE Shadow Haunting Control Web Panel

A profound architectural frailty has been unearthed within a ubiquitous server management console, permitting an adversary to usurp systemic access sans credentials. Knowledge of a mere username suffices to execute arbitrary directives upon the server.

The discourse concerns Control Web Panel (CWP), a platform frequently marshaled for the governance of hosting environments predicated upon CentOS, AlmaLinux, and Rocky Linux. The Fenrisk vanguard has identified a nascent vulnerability, designated CVE-2025-70951, which facilitates remote code execution (RCE) prior to any formal authentication.

This malady is a direct descendant of a progenitor flaw, CVE-2025-48703, which surfaced previously. Although the architects ostensibly neutralized the suspect code, the remediation proved incomplete, leaving the hazardous mechanism dormant within an auxiliary module.

Control Web Panel orchestrates its functions through binary interfaces: one dedicated to administration and another to the patron. In the ancestral exploit, an interloper bypassed access validation by injecting a command into a parameter intended solely for file permission governance. The server, failing to interrogate the session’s legitimacy, dutifully executed the rogue instruction.

The initial rectification sequestered the flaw within the file management apparatus but failed to insulate the “addons” module responsible for auxiliary installations. This component persists in accepting invocations without verifying the petitioner’s identity, provided the request specifies an extant username.

During the installation of an add-on, the server ingests parameters, including a directory path. The developers neglected to scrutinize the contents of this variable, thereby allowing a malicious command to be surreptitiously embedded. The server subsequently processes this command via the system shell, effectively surrendering the architecture to the assailant.

To orchestrate this incursion, one need only transmit a bespoke request to the server, incorporating a valid username and a malignant directive within the path parameter. Consequently, the server executes the command under the auspices of that specific user.

The vulnerability has been corroborated across versions 0.9.8.1218, 0.9.8.1219, and 0.9.8.1222 on CentOS 7 environments. The breach was definitively sealed in version 0.9.8.1224, promulgated in March 2026. The flaw was initially detected in December 2025, with formal notification delivered to the developers in early January 2026. Following confirmation of the error in February, the remedial patch was issued one month thereafter.