Impact
Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability (CWE‑89) that allows unauthenticated remote attackers to inject arbitrary SQL through the unsanitized userRes POST parameter at the /user endpoint. The attacker can gain MySQL root privileges via the injection, use INTO DUMPFILE to write arbitrary files, and deploy a PHP web shell into the publicly accessible roundcube logs directory. This gives the attacker remote code execution rights as the cwpsvc account and full compromise of confidentiality, integrity, and availability.
Affected Systems
Control Web Panel versions earlier than 0.9.8.1225 installed on any server exposing the web UI are affected. The vulnerability exists in all installations that include the default /user endpoint; any network accessible to untrusted actors could be targeted.
Risk and Exploitability
The CVSS base score of 9.3 signals critical severity. EPSS is not available, but the absence of a KEV listing does not lessen the risk; the flaw permits code deployment without authentication. The likely attack path involves sending a crafted POST request to /user, leveraging the hidden injection to write a malicious PHP file via INTO DUMPFILE, and tunneling remote command execution once the file is served by the web server. Because exploitation requires only network connectivity to the web server, attackers could perform the attack from anywhere on the internet without privilege escalation.
OpenCVE Enrichment