We use cookies to improve your browsing experience, personalize content, and enhance the use of our website. By clicking on the Accept button, you consent to the use of cookies on your device as described in our Privacy Policy.

Cloud Security

CVE-2022-44877 – CentOS Control Web Panel Unauthenticated RCE

CVE-2022-44877 is a critical unauthenticated, remote code execution vulnerability found in Control Web Panel (CWP) in October 2022. This vulnerability allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter of the CWP’s login page.

Piyush Chhiroliya

Written by Piyush Chhiroliya

February 23, 2023 | 2 min read

Introduction

CVE-2022-44877, an unauthenticated remote code execution flaw in Control Web Panel (CWP), formerly known as CentOS Web Panel. This vulnerability was first discovered by security researcher Numan Türle, who published a proof-of-concept exploit for it on January 3, 2023.

About the CVE-2022-44877

The vulnerability arises from a condition allowing attackers to run bash commands when double quotes are used to log incorrect entries to the system. Successful exploitation allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter (login/index.php).

This vulnerability was fixed in an October 2022 release of CWP. On January 6, 2023, security nonprofit Shadowserver reported exploitation in the wild. As of January 19, 2023, security firm GreyNoise has also seen several IP addresses exploiting CVE-2022-44877.

What is a Control Web Panel 7?

Control Web Panel is a popular free interface for managing web servers. Shadowserver’s dashboard for CWP identifies tens of thousands of instances on the internet. There doesn’t appear to be a detailed vendor advisory for CVE-2022-44887. However, available information indicates Control Web Panel 7 (CWP 7) versions before 0.9.8.1147 are vulnerable.

Proof-of-Concept (PoC) – CVE-2022-44877

The proof-of-concept exploit for CVE-2022-44877 is quite simple and consists of a POST request to the login page with a payload that includes a command to create a reverse shell. Here is the POC:

The payload takes advantage of the vulnerability to execute the ping command with the option to run it twice (-nc 2) and returns the output to the attacker’s server using `interactsh`.

How to fix the CVE-2022-44877

While there doesn’t appear to be a detailed vendor advisory for CVE-2022-44877, available information indicates that Control Web Panel 7 (CWP 7) versions before 0.9.8.1147 are vulnerable. Therefore, CWP users should upgrade their versions to 0.9.8.1147 or later as soon as possible.

Secure your cloud infrastructure with PingSafe

PingSafe’s platform quickly detects and prevents vulnerabilities in your cloud infrastructure effectively. PingSafe conducts a comprehensive scan of your cloud infrastructure and identifies the components that are susceptible to vulnerabilities. After prioritizing the issues, PingSafe provides a real-time assessment of the situation.

Using PingSafe’s cloud security platform, you can protect your cloud environment against the latest zero-day attacks, keep up-to-date with the latest developments in cloud computing, and enhance your security posture across multiple cloud accounts.

Sign up for a personalized demo today!