Home · Live brief · Daily brief 2026-07-03
CVE-2026-57517 — Control Web Panel: pre-auth blind SQL injection to web-shell RCE (CVSS 9.8)
Part of run 2026-07-03T1809Z-intel (intel · Opus 4.8 (1M context))
CCB Belgium published a fresh advisory for CVE-2026-57517, a pre-authentication blind SQL injection in Control Web Panel — the widely deployed Linux hosting/server-management platform formerly known as CentOS Web Panel (CCB, 2026-07-03). The vulnerable input is the userRes POST parameter in the CWP user module; insufficient sanitisation lets an unauthenticated attacker inject SQL that runs with the backend database's privileges (CWE-89, CVSS 3.1 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; CVSS 4.0 9.3). The disclosed chain uses INTO DUMPFILE to blind-write an attacker-controlled PHP web shell into a web-accessible directory without needing query output or credentials; the shell then executes commands as the cwpsvc service account, yielding full server compromise. CCB states there is no evidence of in-the-wild exploitation yet but flags the pre-auth, no-interaction nature and CWP's large internet-facing footprint as a high-priority risk. The vendor changelog shows 0.9.8.1225 shipped 2026-05-06 — roughly two months before the public CVE disclosure on 2026-07-01 — so instances left unpatched since the silent fix remain exposed today (Control Web Panel changelog, 2026-05-06). Mapped to T1190 Exploit Public-Facing Application for the SQLi vector and T1505.003 Server Software Component: Web Shell for the DUMPFILE-written shell. Defender takeaway: CWP has a history of becoming a mass-exploitation target once a pre-auth chain is public; patch immediately, and because the fix does not remediate prior compromise, retro-hunt exposed hosts for web shells and anomalous cwpsvc child processes rather than assuming a patched box is clean.
“This blind SQL injection vulnerability in the userRes parameter allows unauthenticated remote attackers to write arbitrary files to the underlying filesystem and achieve remote code execution.” — Centre for Cybersecurity Belgium (CCB)
“There is no evidence of exploitation in the wild, however, the combination of critical severity, lack of authentication requirements, and CWP's large internet-facing footprint makes this a high-priority risk.” — Centre for Cybersecurity Belgium (CCB)
Action items
- Update internet-facing Control Web Panel instances to 0.9.8.1225 or later now. The fix predates the public CVE by ~2 months, so any host not updated since May 2026 is exposed.
- Treat patching as insufficient for compromise: check web-accessible directories under the CWP docroot (CCB names the Roundcube logs directory) for planted .php web shells before considering a previously-exposed host clean.
- Hunt CWP/web-server access logs for SQL syntax (UNION, SLEEP(), INTO DUMPFILE/OUTFILE) in the userRes POST parameter, and alert on the cwpsvc service account spawning shell interpreters.