Your hacker Blog

Threat actors actively exploit Control Web Panel RCE following PoC release

Threat actors are actively exploiting a recently patched critical remote code execution (RCE) vulnerability in Control Web Panel (CWP).

Threat actors are actively exploiting a recently patched critical vulnerability, tracked as CVE-2022-44877 (CVSS score: 9.8), in Control Web Panel (CWP).

Ongoing mass exploitation of CVE-2022-44877 (Centos Web Panel 7 Unauthenticated Remote Code Execution).Source: 206.189.170.136 Malicious Base64 payload is a reverse shell that connects to 206.189.170.136:9181The scanning of CWP instances started around January 06th. pic.twitter.com/PC8b9frmA9— Germán Fernández (@1ZRR4H) January 11, 2023The exploitation attempts began on January 6, 2023, after a proof-of-concept (PoC) exploit code was published online.

“login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.” reads the advisory for this vulnerability.

The flaw impacts the software before 0.9.8.1147, it was addressed with the release of 0.9.8.1147 version on October 25, 2022. The vulnerability was discovered by Numan Türle from Gais Security.

Researchers from Grey Noise and ShadowServer confirmed that threat actors are actively exploiting the flaw.

CENTOS Web Panel RCE CVE-2022-44877 Attempt Tag is live and we’re definitely seeing activityhttps://t.co/exHHtLh7gi pic.twitter.com/CXo8WSSRag— GreyNoise (@GreyNoiseIO) January 11, 2023
Heads up! We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation first observed Jan 6th. Make sure to patch – https://t.co/SqOTMW6ZNG— Shadowserver (@Shadowserver) January 11, 2023Users are recommended to apply the security patches immediately.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post Threat actors actively exploit Control Web Panel RCE following PoC release appeared first on Security Affairs.