Exploitation attempts against a critical CentOS Control Web Panel (CWP) vulnerability have been observed shortly following the publication of the proof of concept (PoC) code in early January 2023.

A tool that was formerly known as the CentOS Web Panel, CWP is a free and popular web hosting control panel for groups of Linux systems; it offers support for the general management and security administration of servers and clients in an environment.

Identification of the vulnerability led to it being recorded as CVE-2022-44877 (with a CVSS score of 9.8 out of 10). The vulnerability allows unauthenticated attackers to perform remote code execution (RCE) on victimized systems.

The underlying defect being exploited is a misconfiguration in functionality whereby incorrect entries are logged on the panel. This allows threat actors send commands to be executed on the server. This was described in depth by CloudSEK researchers.

The NIST advisory states, “login/index.php in CWP 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.” First reported by researcher Numan Turle of Gais Cyber Security, he published a proof of concept exploit on January 3, 2023 along with a video demonstrating the exploitation.

Threat actors were quick to start exploiting the vulnerability, as two security organizations, GreyNoise and The Shadowserver Foundation, noting ongoing attempts at exploitation.

Shadowserver explained, “We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation was first observed Jan 6th.”

The organization also noted that it has counted ~38,000 CWP instances that are currently exposed to the public Internet, while CloudSEK cited a count numbering in the hundreds of thousands.

Patches are available for CVE-2022-44877 (see CWP7 version 0.9.8.1147), and all CWP users are advised to immediately update to at least that version.

This is another example of how the security landscape is constantly shifting and many commonly used software products can create holes in your organization's armor. Only a well-managed security program can enable organizations to address risks across their operations. Contact Webcheck Security today for a free discussion of how our consultants can help your organization protect itself.