Unauthenticated Takeover Flaw in Control Web Panel (CVE-2026-57517): 150,000+ Instances Exposed — Update to 0.9.8.1225
Control Web Panel (CWP, formerly CentOS Web Panel), a free Linux server management panel, has a flaw (CVE-2026-57517) that lets an unauthenticated attacker manipulate the database and take over the server. 150,000+ instances are exposed — update to 0.9.8.1225.
Table of contents
Control Web Panel (CWP, formerly CentOS Web Panel), a free Linux server management panel, has a flaw (CVE-2026-57517) that lets an unauthenticated attacker manipulate the database and take over the server. 150,000+ instances are exposed — update to 0.9.8.1225.
A vulnerability that can let an attacker take over a server without any login has been found in "Control Web Panel (CWP, formerly CentOS Web Panel)," a free management dashboard widely used to run rented servers and VPSes. It is tracked as CVE-2026-57517, with a severity of 9.8 out of 10 ("Critical").
An attacker can freely manipulate the database CWP uses without undergoing any identity check (authentication), simply by sending a crafted request. From there it can ultimately lead to planting a malicious program (a web shell) on the server and taking it over. More than 150,000 CWP dashboards are exposed on the internet (another count puts it above 220,000), and Japan is among the countries with the most installations. The developer has released a fixed version, "0.9.8.1225," so any server running CWP needs to update now.
| Item | Details |
|---|---|
| Tracking ID | CVE-2026-57517 |
| Affected software | Control Web Panel (CWP, formerly CentOS Web Panel) |
| Affected versions | Before 0.9.8.1225 |
| Fixed version | 0.9.8.1225 |
| Severity | CVSS 9.8 / 10 ("Critical") |
| Type | SQL injection (CWE-89) |
| Login needed | No (exploitable unauthenticated) |
| Exploitation | None reported for this CVE yet (product heavily abused before) |
| Exposed instances | 150,000–220,000+ worldwide |
Who would exploit this, and why
The target audience for attackers is the anonymous mass of attackers who can reach an internet-exposed CWP dashboard. A CWP dashboard is often opened over the network as the entry point for operating a server, and the danger of this flaw is that it can be tried with no login and no special privileges. Attackers mechanically hunt for exposed servers and fire attacks at every one they find.
What an attacker can do is freely manipulate CWP's database with a crafted request and use that as a foothold to plant a malicious program (a web shell) on the server and take it over. A web shell is a backdoor program that lets an attacker send commands to the server through a browser.
If a server management panel is taken over, the damage is not limited to one machine. CWP is used to manage many websites, mail, and databases together on a single server, so a takeover leads at once to tampering with every site running on it, leaks of customer data, and turning the box into a springboard for phishing sites and spam. If a hosting provider uses it, the many customers sharing that server can be caught in the blast. That is why the update below should be your top priority.
What Control Web Panel (CWP) is
Control Web Panel is a free management tool (a control panel) that lets you administer a Linux server entirely through screen operations. It was previously known as "CentOS Web Panel." Because it lets you publish websites, create mail accounts, manage databases, and set up SSL certificates in the browser without typing commands, it is widely used from individuals to small hosting providers as an alternative to paid panels like cPanel.
Adoption is high worldwide: scanning services count more than 150,000 internet-exposed CWP dashboards (over 220,000 on Shodan). By country, after the United States and Germany, Japan ranks near the top, meaning many domestic servers use it as well.
The problem is that CWP is a long-standing "favorite target" for attackers. Its dashboard is easy to expose to the internet, and the payoff for a takeover is large, so unauthenticated takeover flaws have been exploited repeatedly in the past. This CVE-2026-57517 is a new entry in that lineage.
What actually happens: inside the flaw
The cause is insufficient checking when CWP incorporates received input into a command sent to the database. According to the NVD (the U.S. NIST vulnerability database) description, by placing a crafted string in a submitted field (the userRes POST parameter), an attacker can execute arbitrary database commands (SQL). This is SQL injection (CWE-89), a classic but high-impact flaw.
The type here is called "blind SQL injection": even without the results being shown directly on screen, the contents of the database can be inferred and extracted one character at a time from differences in the system's responses. Sensitive information stored in the database — such as administrator account credentials and settings — can be read out. Because all of this can be done without any login, the severity is rated CVSS 9.8 (Critical).
The NVD further notes that this flaw can ultimately lead to arbitrary program execution (RCE) on the server, since attackers are expected to use the database access as a foothold to plant a PHP web shell (a backdoor). The SQL execution itself reliably works, while planting the web shell and taking over is a staged technique that depends on the environment and configuration — but for software that runs close to administrator privileges, like CWP, it is a realistic threat.
Is my server at risk? A version-by-version guide
Log in to the CWP dashboard and check the version shown. The table below helps you judge your situation.
| Your version | Dashboard exposed to internet | Source IPs restricted |
|---|---|---|
| Before 0.9.8.1225 | Critical update now | Medium still update |
| 0.9.8.1225 or later | Patched | Patched |
| CWP not used | Not affected | Not affected |
If you restrict access to the dashboard to trusted IP addresses only, attacks from the anonymous masses are harder to reach you, so the urgency drops. Even so, the possibility of misconfiguration or an internal attack remains, so updating is the safe choice either way.
Background: CWP is a habitual target for unauthenticated takeover
This CVE-2026-57517 should not be dismissed as a one-off flaw. CWP is a product where vulnerabilities allowing unauthenticated server takeover have been found again and again and actually used in large-scale attacks. It has been listed multiple times in the U.S. agency CISA's "Known Exploited Vulnerabilities (KEV)" catalog. Lined up chronologically, the pattern of repeat abuse is clear.
| Tracking ID | Description | Status |
|---|---|---|
| CVE-2022-44877 | Unauthenticated code execution | Mass-exploited in KEV |
| CVE-2025-48703 | Unauthenticated code execution | Exploited in KEV |
| CVE-2026-57517 | Unauthenticated DB access → takeover | This case (no exploitation reported yet) |
Why is CWP targeted repeatedly? The backdrop is a structural one: the server management panel — the most powerful entry point of all — tends to be exposed directly to the internet. In exchange for its convenience, the panel is a high-return target for attackers, because a takeover instantly hands over the whole server. Past CWP flaws have often seen automated attacks begin soon after disclosure, so "no exploitation reported yet" is no reason to relax this time. Vulnerabilities actually used in attacks can be tracked in our CISA KEV Dashboard (Japanese edition), and CWP-related entries may well appear there again.
What to do now
The top priority is to update CWP to the fixed version 0.9.8.1225 or later. CWP can be updated with a command on the server (yum update or CWP's built-in update feature). Check the latest version in the official changelog.
Beyond updating, it is safe to review the defenses specific to a management panel. First, do not expose the dashboard (by default on ports such as 2030/2031) to the whole internet; restrict source addresses to the IPs you actually use. Limiting it to your office or home fixed line, or to VPN access only, blocks almost all automated attacks from the anonymous masses. Next, place a WAF (a mechanism that detects and stops malicious traffic) in front, and check whether you have already been breached. Look for unfamiliar PHP files, administrator accounts, unexpected database changes, or suspicious traffic, and if anything looks wrong, rotate all passwords and database credentials.
Summary
CVE-2026-57517 is a vulnerability in the CWP server management panel where, without a login, an attacker can manipulate the database and ultimately take over the server. The severity is a top-class CVSS 9.8, more than 150,000 CWP dashboards are exposed on the internet, and many exist in Japan too. A fixed version, 0.9.8.1225, is already available.
CWP is a standard target for attackers, with unauthenticated takeover flaws repeatedly exploited in the past. Assume automated attacks may begin right after disclosure this time as well: update immediately, and switch to an operation that does not expose the dashboard to the internet. Start by checking, right now, whether your server's CWP is on 0.9.8.1225 or later.
References
- ▸NVD - CVE-2026-57517 Detail (U.S. NIST)
- ▸Control Web Panel official - Changelog (fix 0.9.8.1225)
- ▸NVD - CVE-2025-48703 (earlier unauthenticated RCE, in KEV)
- ▸NVD - CVE-2022-44877 (earlier unauthenticated RCE, mass-exploited)
- ▸BleepingComputer - CISA warns of critical CentOS Web Panel bug exploited
- ▸CISA - Known Exploited Vulnerabilities Catalog (KEV)

Makoto Horikawa
Backend Engineer / AWS / Django