CISA adds Critical CWP vulnerability to Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added one Critical Control Web Panel (CWP) vulnerability to its Known Exploited Vulnerabilities Catalog.

CISA warned “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”

As a result, this vulnerability has been added to the Catalog based on evidence of active exploitation.

CWP RCE (CVE-2022-44877)

The Critical unauthenticated remote code execution vulnerability CVE-2022-44877 (CVSS 9.8) affects login/index.php in CWP (i.e., Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147. As a result, the flaw could allow a remote attacker to execute arbitrary OS commands via shell metacharacters in the login parameter.

This issue was discovered by Numan Türle at Gais Cyber Security and a YouTube video for a proof of concept was also published.

According to the vulnerability advisory, “bash commands can be run because double quotes are used to log incorrect entries to the system.”

Additional supporting links for CVE-2022-44877 are also available:

Readers can check out the latest details on CISA’s Known Exploited Vulnerabilities Catalog.

Related Articles