The Cybersecurity and Infrastructure Security Agency (CISA) has added one Critical Control Web Panel (CWP) vulnerability to its Known Exploited Vulnerabilities Catalog.

CISA warned “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.”

As a result, this vulnerability has been added to the Catalog based on evidence of active exploitation.

CWP RCE (CVE-2022-44877)

The Critical unauthenticated remote code execution vulnerability CVE-2022-44877 (CVSS 9.8) affects login/index.php in CWP (i.e., Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147. As a result, the flaw could allow a remote attacker to execute arbitrary OS commands via shell metacharacters in the login parameter.

This issue was discovered by Numan Türle at Gais Cyber Security and a YouTube video for a proof of concept was also published.

According to the vulnerability advisory, “bash commands can be run because double quotes are used to log incorrect entries to the system.”

Additional supporting links for CVE-2022-44877 are also available:

• http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.html
• http://seclists.org/fulldisclosure/2023/Jan/1
• https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386
• https://www.youtube.com/watch?v=kiLfSvc1SYY
• https://control-webpanel.com/changelog#1653233365160-9848a986-1930

Readers can check out the latest details on CISA’s Known Exploited Vulnerabilities Catalog.

Related Articles

• Linux Kernel ksmbd Use-After-Free RCE Vulnerability
• Dirty Pipe privilege escalation vulnerability found in Linux kernel
• Microsoft January 2023 Security Updates addresses 98 vulnerabilities (11 rated Critical)
• Adobe security updates for Adobe Acrobat and Reader (and other products)
• Apple patches vulnerabilities in iOS 16.2, macOS Ventura 13.1 and other products
• Google fixes Chrome 108 zero-day vulnerability (CVE-2022-4262) exploited in the wild