CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0.
The web installer (public/installer/index.php) checks for the presence of the install.lock file only after loading and executing form handler files, which leaves the installer endpoints accessible even on fully installed instances. Form handlers pass unsanitized user input directly to system shell commands (command injection). The combination of these two weaknesses — premature handler execution before lock file check and unsafe shell command construction — allows an attacker to submit a crafted HTTP request and execute arbitrary code on the server without any authentication.
An attacker can execute arbitrary system commands with the privileges of the web server process, which can lead to complete server takeover, data exfiltration, backdoor installation, or further lateral movement within the infrastructure.
CtrlPanel should be immediately updated to version 1.2.0, where the issue has been fixed. The patch is available in the vendor's repository: https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0
CtrlPanel (billing software for hosting providers) in versions 1.1.1 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H