An actively exploited, unauthenticated RCE vulnerability in CtrlPanel allows remote attackers to execute arbitrary code with server-level privileges.

An unauthenticated attacker can trigger code execution via the web-based installer, which fails to properly validate the installation state and passes user input directly into shell commands.

With a CVSS score of 10.0, this vulnerability is critical and poses an immediate threat to the entire hosting infrastructure. Active exploitation in the wild indicates that attackers are likely using this flaw to establish persistent backdoors, exfiltrate hosting data, or deploy ransomware, leading to total loss of control over the affected servers.

Immediate Action: Update CtrlPanel to version 1.2.0 or higher immediately; if an update is not possible, remove or disable the public/installer/index.php file.

Proactive Monitoring: Search for evidence of unauthorized shell processes, unexpected file creations in web directories, and anomalous outbound network traffic.

Compensating Controls: Immediately restrict public access to the installer endpoint via WAF rules or server-level configuration (e.g., .htaccess or Nginx deny directives).

Public Exploit Available: Yes

This is an extremely high-risk vulnerability with confirmed active exploitation. Organizations must treat this as a high-priority incident and apply the necessary patches or mitigating controls without delay to prevent unauthorized remote command execution.