CVE-2023-35885
Published: 20 June 2023
Summary
CVE-2023-35885 is a critical-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Mgt-Commerce Cloudpanel. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CloudPanel 2 versions prior to 2.3.1 contain an insecure file-manager cookie authentication mechanism tracked as CVE-2023-35885. The flaw is rated 9.8 under CVSS 3.1 and is associated with CWE-565, indicating reliance on cookies without proper validation or integrity checks. The affected component allows unauthenticated network access to file-manager functionality in the CloudPanel control panel.
An attacker with network reachability can supply a crafted cookie to bypass authentication entirely. Successful exploitation grants full read, write, and delete access to files on the server, enabling complete compromise of confidentiality, integrity, and availability without any user interaction or prior credentials.
The vendor changelog for CloudPanel 2.3.1 addresses the issue through corrected cookie handling in the file-manager component. Public references, including a detailed disclosure and accompanying proof-of-concept repository, confirm that updating to the patched release resolves the authentication weakness.
EPSS for the vulnerability stands at 0.9412, indicating sustained exploitation interest following disclosure. Public artifacts such as the FallingSkies proof-of-concept further demonstrate practical attack feasibility against unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39878
Vulnerability details
CloudPanel 2 before 2.3.1 has insecure file-manager cookie authentication.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.