CVE-2022-44877 | SentinelOne

CVE-2022-44877: CentOS Control Web Panel Unauthenticated RCE

CVE-2022-44877, an unauthenticated remote code execution flaw in Control Web Panel (CWP), formerly known as CentOS Web Panel. This vulnerability was first discovered by security researcher Numan Türle, who published a proof-of-concept exploit for it on January 3, 2023.

About the CVE-2022-44877

The vulnerability arises from a condition allowing attackers to run bash commands when double quotes are used to log incorrect entries to the system. Successful exploitation allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter (login/index.php).

This vulnerability was fixed in an October 2022 release of CWP. On January 6, 2023, security nonprofit Shadowserver reported exploitation in the wild. As of January 19, 2023, security firm GreyNoise has also seen several IP addresses exploiting CVE-2022-44877.

What is a Control Web Panel 7?

Control Web Panel is a popular free interface for managing web servers. Shadowserver’s dashboard for CWP identifies tens of thousands of instances on the internet. There doesn’t appear to be a detailed vendor advisory for CVE-2022-44887. However, available information indicates Control Web Panel 7 (CWP 7) versions before are vulnerable.

Proof-of-Concept (PoC) – CVE-2022-44877

The proof-of-concept exploit for CVE-2022-44877 is quite simple and consists of a POST request to the login page with a payload that includes a command to create a reverse shell. Here is the POC:

The payload takes advantage of the vulnerability to execute the ping command with the option to run it twice (-nc 2) and returns the output to the attacker’s server using `interactsh`.

How to fix the CVE-2022-44877

While there doesn’t appear to be a detailed vendor advisory for CVE-2022-44877, available information indicates that Control Web Panel 7 (CWP 7) versions before are vulnerable. Therefore, CWP users should upgrade their versions to or later as soon as possible.