cbcvebase.
CVE-2019-13359
published 2019-07-16

CVE-2019-13359: In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory…

PriorityP261high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
25.77%
97.7th percentile
In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a cwpsrv-xxx cookie allows a normal user to craft and upload a session file to the /tmp directory, and use it to become the root user.

Affected

1 ranges
VendorProductVersion rangeFixed in
control-webpanelwebpanel

Detection & IOCsextracted from sources · hover to see the quote

cookiecwpsrv-xxx (session cookie used to reference crafted /tmp/sess_* file)
cookiecwsrp-xxxxxxxxxxxxxxxxxxxxx=123456
path/tmp/sess_123456
urlhttps://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php
port2031
port2083
filenamesess_123456
  • Monitor for creation of PHP session files (sess_*) in /tmp by non-root users, especially with content containing 'username|s:4:"root"' or 'logged|b:1', which indicates session forgery for privilege escalation.
  • Detect HTTP requests to the CWP admin panel on port 2031 (https://<host>:2031/cwp_*/admin/index.php) accompanied by a 'cwsrp-*' cookie whose value references a /tmp/sess_* file crafted by a low-privileged user.
  • Alert on chmod 664 or chmod 644 operations targeting /tmp/sess_* files, as the exploit requires relaxing permissions on the forged session file before the application resets them to 600.
  • Monitor for outbound /dev/tcp reverse shell connections from the CWP server process (cwpsrv) to attacker-controlled IPs on port 8000, indicative of Method 1 exploitation.
  • Detect file uploads to /tmp via the CWP File Manager (port 2083) where the uploaded filename matches the pattern sess_[a-zA-Z0-9]+ — a normal user abusing the file manager to plant a forged session.
  • ·The exploit is time-sensitive: the application automatically resets the forged session file permissions to 600 and zeroes it out. Detection windows are narrow and defenders should prioritize real-time file integrity monitoring on /tmp/sess_* rather than periodic scans.
  • ·The cookie name prefix 'cwsrp-' (exploit doc) differs slightly from the CVE description 'cwpsrv-'; detection rules should cover both variants to avoid blind spots.
  • ·Affected versions span 0.9.8.836 through 0.9.8.839; the fix was released on 2019-07-02. Ensure version checks in detection/asset inventory cover this full range.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.