ctipilot.ch

Control Web Panel pre-auth blind SQLi to web-shell RCE via INTO DUMPFILE (CVSS 9.8)

cve · CVE-2026-57517 single-source-national-cert

Coverage timeline
1
first 2026-07-03 → last 2026-07-03
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-03CVE-2026-57517 — Control Web Panel: pre-auth blind SQL injection to web-shell RCE (CVSS 9.8)
    trending-vulnerabilitiesCVE-2026-57517 — Control Web Panel: pre-auth SQLi to RCE via INTO DUMPFILE (CVSS 9.8)

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • ccb.belgium.be1 (50%)
  • control-webpanel.com1 (50%)

Entries about Control Web Panel pre-auth blind SQLi to web-shell RCE via INTO DUMPFILE (CVSS 9.8) (1)

2026-07-03 · view entry permalink →

CVE-2026-57517 — Control Web Panel: pre-auth blind SQL injection to web-shell RCE (CVSS 9.8)

high vulnerability discovered 2026-07-03 18:25 UTC single-source · national CERT

CCB Belgium published a fresh advisory for CVE-2026-57517, a pre-authentication blind SQL injection in Control Web Panel — the widely deployed Linux hosting/server-management platform formerly known as CentOS Web Panel (CCB, 2026-07-03). The vulnerable input is the userRes POST parameter in the CWP user module; insufficient sanitisation lets an unauthenticated attacker inject SQL that runs with the backend database's privileges (CWE-89, CVSS 3.1 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; CVSS 4.0 9.3). The disclosed chain uses INTO DUMPFILE to blind-write an attacker-controlled PHP web shell into a web-accessible directory without needing query output or credentials; the shell then executes commands as the cwpsvc service account, yielding full server compromise. CCB states there is no evidence of in-the-wild exploitation yet but flags the pre-auth, no-interaction nature and CWP's large internet-facing footprint as a high-priority risk. The vendor changelog shows 0.9.8.1225 shipped 2026-05-06 — roughly two months before the public CVE disclosure on 2026-07-01 — so instances left unpatched since the silent fix remain exposed today (Control Web Panel changelog, 2026-05-06). Mapped to T1190 Exploit Public-Facing Application for the SQLi vector and T1505.003 Server Software Component: Web Shell for the DUMPFILE-written shell. Defender takeaway: CWP has a history of becoming a mass-exploitation target once a pre-auth chain is public; patch immediately, and because the fix does not remediate prior compromise, retro-hunt exposed hosts for web shells and anomalous cwpsvc child processes rather than assuming a patched box is clean.

“This blind SQL injection vulnerability in the userRes parameter allows unauthenticated remote attackers to write arbitrary files to the underlying filesystem and achieve remote code execution.” — Centre for Cybersecurity Belgium (CCB)

“There is no evidence of exploitation in the wild, however, the combination of critical severity, lack of authentication requirements, and CWP's large internet-facing footprint makes this a high-priority risk.” — Centre for Cybersecurity Belgium (CCB)

vulnerabilities rce sqli pre-auth patch-available global CVE-2026-57517