Control Web Panel, the free hosting control panel formerly known as CentOS Web Panel, runs the websites, email, and databases on a large number of budget Linux servers. On July 4, 2026 a working exploit for CVE-2026-57517 was posted publicly on GitHub. It turns a flaw the vendor quietly patched a month ago into a way for an anonymous attacker to run commands on the server, with no username and no password. If you run Control Web Panel and have not moved to build 0.9.8.1225, this is today's job.
The flaw is rated 9.8 out of 10 on the older severity scale and 9.3 on the newer one, both in the critical band. It was found by researcher Egidio Romano, and the identifier was assigned by the security firm VulnCheck. The vendor shipped the fix on June 5, but only the July 1 public write-up and the July 4 exploit made the risk real for internet-facing panels.
What the flaw actually is
The bug is a blind SQL injection: a spot where the panel takes text from a web request and drops it into a database query without cleaning it first. It lives in the userRes field of a POST request sent to the panel's user login endpoint, which listens on port 2083. Because that endpoint answers before any login, the attacker never needs an account. The vulnerability type is CWE-89, the standard label for SQL injection.
"Blind" means the server does not print the query's result back to the attacker. That slows an attacker down but does not stop them; they recover data and confirm their commands one true-or-false question at a time. On its own, an unauthenticated database injection is already serious. The reason this one rates a 9.8 is what the database account is allowed to do next.
How a database bug becomes full server takeover
Control Web Panel runs its queries as the MySQL root account, and that account holds the global FILE privilege, the permission to write files to disk. An attacker who can run arbitrary database commands as that account can therefore ask the database to write a small file of their choosing into a folder the web server will serve. The researcher's advisory points at the web-reachable Roundcube webmail logs folder (/usr/local/cwpsrv/var/services/roundcube/logs/) as the drop spot. Plant a PHP file there, request it in a browser, and it runs as the cwpsvc service account. That is remote code execution, reached from a single request with no login.
A public proof-of-concept exists and is linked from the advisory chain. We are not reprinting it. The mechanism above is the part defenders need; the working payload is the attacker's to publish, not ours.
Are you affected
| Product | Affected versions | Fixed in |
|---|---|---|
| Control Web Panel (all editions) | 0.9.8.1224 and earlier | 0.9.8.1225 |
Every build up to and including 0.9.8.1224 is vulnerable. The fix landed in 0.9.8.1225. Control Web Panel does not auto-update the core panel by default, so a server that was installed and left alone is almost certainly still on an affected build. The single most useful thing you can do in the next hour is confirm your version and update.
The clock that matters is the exploit clock, not the patch clock
The dates tell the story every hosting admin needs to absorb. The vendor fixed this on June 5, 2026. VulnCheck assigned CVE-2026-57517 on June 26. The public disclosure went out on July 1, and a working exploit appeared on GitHub on July 4. For an internet-facing panel, the danger did not spike when the patch shipped; it spiked when the exploit went public, which was four days ago. Anyone who read "patched, no reports of exploitation" as breathing room is now on the wrong side of that gap. We watched the same pattern play out with the Kemp LoadMaster flaw that attackers hit hours after its exploit chain went public.
Patch first. Then hunt, because the exploit is a month old.
Update to Control Web Panel 0.9.8.1225 or later right now, and start with any panel whose port 2083 answers on a public address. Then assume the worst for the exposure window and go looking, because the fix has been reverse-engineerable since it shipped in early June.
-
Hunt the drop folder. Any PHP or other script file inside the Roundcube logs folder is a red flag. A logs folder should hold log text, never executable code. Treat a script there as a live web shell until proven otherwise.
-
Search your web logs for the injection. Look back through access logs for POST requests to the user endpoint on port 2083 carrying a
userResvalue, especially ones with database syntax, timing functions, or unusual length. Repeated near-identical requests are the signature of a blind injection walking the database one bit at a time. -
Watch what cwpsvc does. The
cwpsvcaccount launching a shell, spawning system commands, or making outbound network connections is not normal and is worth an alert. -
Turn on file integrity monitoring for the panel's web-served folders so a newly planted file raises an alarm the moment it is written, not weeks later.
This maps to two well-known attacker techniques in the MITRE ATT&CK model: exploiting a public-facing application (T1190) to get in, and installing a web shell (T1505.003) to stay. A managed detection service that already watches your web logs and file integrity will flag both signals. The point is to be looking now, across the whole window since early June, not only from the moment you patch.
Why this one is worth your attention
Control panels are a favorite target for a reason: one flaw exposes every site, mailbox, and database on the box, and the same software runs on thousands of near-identical low-cost servers. Control Web Panel in particular has a track record of being mass-exploited, including a 2022 flaw that landed on the US government's known-exploited list. A pre-login, one-request path to code execution, with a public exploit and a month-old patch, checks every box that history says attackers act on. Patch, then hunt.