Pierluigi Paganini
January 12, 2023
Threat actors are actively exploiting a recently patched critical vulnerability, tracked as CVE-2022-44877 (CVSS score: 9.8), in Control Web Panel (CWP).
🚨 Ongoing mass exploitation of CVE-2022-44877 (Centos Web Panel 7 Unauthenticated Remote Code Execution).
— Germán Fernández (@1ZRR4H) January 11, 2023
Source: 206.189.170.136
Malicious Base64 payload is a reverse shell that connects to 206.189.170.136:9181
The scanning of CWP instances started around January 06th. pic.twitter.com/PC8b9frmA9
The exploitation attempts began on January 6, 2023, after a proof-of-concept (PoC) exploit code was published online.
“login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.” reads the advisory for this vulnerability.
The flaw impacts the software before 0.9.8.1147, it was addressed with the release of 0.9.8.1147 version on October 25, 2022. The vulnerability was discovered by Numan Türle from Gais Security.
Researchers from Grey Noise and ShadowServer confirmed that threat actors are actively exploiting the flaw.
CENTOS Web Panel RCE CVE-2022-44877 Attempt Tag is live and we're definitely seeing activity👀https://t.co/exHHtLh7gi pic.twitter.com/CXo8WSSRag
— GreyNoise (@GreyNoiseIO) January 11, 2023
Heads up! We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation first observed Jan 6th.
— Shadowserver (@Shadowserver) January 11, 2023
Make sure to patch – https://t.co/SqOTMW6ZNG
Users are recommended to apply the security patches immediately.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Moshen Dragon)
[adrotate banner=”5″]
[adrotate banner=”13″]
