CVE-2021-45467
published 2022-12-26CVE-2021-45467: In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.95%
99.3th percentile
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| control-webpanel | webpanel | < 0.9.8.1107 | 0.9.8.1107 |
Detection & IOCsextracted from sources · hover to see the quote
url/user/index.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd
url/user/login.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd
othericon_hash=-356182173
- →Detect null-byte (%00) injection in the 'scripts' query parameter on /user/loader.php, /user/login.php, or /user/index.php — a hallmark of CVE-2021-45467 exploitation attempts ↗
- →Look for HTTP GET requests containing 'api=1' combined with 'scripts=' and multiple '%00' sequences in the URL path — these indicate directory traversal attempts to reach /etc/passwd or arbitrary API endpoints
- →Fingerprint vulnerable CWP instances using the favicon icon hash -356182173 (FOFA/Shodan) to identify exposed attack surface before exploitation
- →A successful LFI exploitation response will contain 'root:.*:0:0:' in the body (contents of /etc/passwd), confirming file read via null-byte path traversal
- →Identify CWP panels by checking HTTP response body for the strings 'control webpanel' or 'cwp | user' (case-insensitive)
- ·The vulnerability affects CWP versions before 0.9.8.1107 only; patched versions are not susceptible to null-byte injection via the 'scripts' parameter ↗
- ·The Nuclei template uses a two-step flow: first confirming the target is a CWP instance via favicon hash or page content, then sending the traversal payload — single-step detections may produce false positives on non-CWP servers
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4xcw-rcp3-wq4p: In CWP (aka Control Web Panel or CentOS Web Panel) before 0
ghsa_unreviewed·2022-12-26
CVE-2021-45467 [CRITICAL] CWE-862 GHSA-4xcw-rcp3-wq4p: In CWP (aka Control Web Panel or CentOS Web Panel) before 0
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
VulnCheck
Control Web Panel (CWP), CentOS Web Panel Preauth Remote Code Execution
vulncheck·2021·CVSS 9.8
CVE-2021-45467 [CRITICAL] Control Web Panel (CWP), CentOS Web Panel Preauth Remote Code Execution
Control Web Panel (CWP), CentOS Web Panel Preauth Remote Code Execution
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.
Affected: control-webpanel webpanel
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unsee
No detection rules found.
Nuclei
Control Web Panel (CWP) - File Inclusion
nuclei·CVSS 9.8
CVE-2021-45467 [CRITICAL] Control Web Panel (CWP) - File Inclusion
Control Web Panel (CWP) - File Inclusion
In CWP (Control Web Panel, previously CentOS Web Panel) before version 0.9.8.1107, an unauthenticated attacker can abuse null byte (%00) injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be exploited by using multiple %00 sequences to traverse directories via crafted requests such as /user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi, or similar payloads with more %00 instances (e.g., .%00%00%00./.%00%00%00./api/account_new_create). Attackers may use this flaw for arbitrary file access, privilege escalation, or remote code execution.
Template:
id: CVE-2021-45467
info:
name: Control Web Panel (CWP) - File Inclus
Wiz
CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know | Wiz Blog
blogs_wiz·2023-01-17·CVSS 9.8
CVE-2022-44877 [CRITICAL] CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know | Wiz Blog
CVE-2022-44877, a critical RCE vulnerability in Control Web Panel 7 (also known as CentOS Web Panel), has been reportedly exploited in the wild. The vulnerability could allow an unauthenticated attacker to escalate privileges and execute code remotely on susceptible servers. Although the vulnerability was published and assigned a CVE on January 6, a fix has been available since October 25, 2022. It was assigned a CVSS score of 9.8.
Exploitation attempts reportedly began around January 6, closely following the publication of a public proof of concept.
## What is CVE-2022-44877?
In unpatched versions of CWP, there is a flaw that allows the execution of Bash commands if double quotation marks are used when logging incorrect entries into the system. This flaw could enable an attacker to exe
Checkpoint
24th January– Threat Intelligence Report
blogs_checkpoint·2022-01-24
CVE-2021-44757 24th January– Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th January– Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th January, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
A new cyber-espionage campaign by the Arabic-speaking APT group Molerats (aka Gaza Cybergang) has been targeting victims in the Middle East, specifically high-profile targets in the banking, NGOs and political sectors in Palestine and Turkey. The group leverages cloud services like Google Drive or Dropbox to host malicious
Greynoiseio
Malicious Tag Roundup (January 2022)
blogs_greynoiseio
Malicious Tag Roundup (January 2022)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-12-26
Published
Exploited in the wild