BrainyCP 1.0 Remote Code Execution via Authenticated Crontab Manipulation

Advisories

severity: high
date: December 19, 2025
Affecting: BrainyCP 1.0
CVE: CVE-2023-53945
CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51357
Official Product Homepage
Credit: Ahmet Ümit BAYRAM
Description: BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port.