CVE-2026-57517
Control Web Panel · Control Web Panel
Control Web Panel is vulnerable to unauthenticated blind SQL injection, allowing remote attackers to achieve remote code execution via arbitrary file writes.
Executive summary
Control Web Panel is susceptible to a critical unauthenticated SQL injection vulnerability that permits remote code execution, posing an immediate risk of full system compromise.
Vulnerability
This is a blind SQL injection vulnerability occurring in the 'userRes' POST parameter. An unauthenticated attacker can manipulate database queries to write malicious files, such as PHP webshells, resulting in remote code execution.
Business impact
With a CVSS score of 9.8, this vulnerability represents a critical threat to organizational integrity. Successful exploitation grants an attacker full control over the affected server, potentially leading to total data exfiltration, unauthorized administrative access, and the deployment of persistent backdoors within the hosting environment.
Remediation
Immediate Action: Upgrade the Control Web Panel installation to version 0.9.8.1225 or later immediately.
Proactive Monitoring: Inspect web server logs for suspicious POST requests targeting the 'userRes' parameter and monitor for unauthorized files in the roundcube logs directory.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict SQL injection filtering rules to block malicious input strings targeting the vulnerable endpoint.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the severity of this remote code execution flaw, immediate patching is mandatory. Administrators must prioritize updating the Control Web Panel software to the latest version and perform a thorough security audit of the server to ensure no unauthorized persistence mechanisms have been established.