cbcvebase.
CVE-2021-45467
published 2022-12-26

CVE-2021-45467: In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.95%
99.3th percentile
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. Any number of %00 instances can be used, e.g., .%00%00%00./.%00%00%00./api/account_new_create could also be used for the scripts parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
control-webpanelwebpanel< 0.9.8.11070.9.8.1107

Detection & IOCsextracted from sources · hover to see the quote

url/user/loader.php?api=1&scripts=.%00./.%00./api/account_new_create&acc=guadaapi
path/user/loader.php
path/user/login.php
url/user/index.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd
url/user/login.php?api=1&scripts=.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./.%00%00%00./etc/passwd
command.%00%00%00./.%00%00%00./api/account_new_create
othericon_hash=-356182173
  • Detect null-byte (%00) injection in the 'scripts' query parameter on /user/loader.php, /user/login.php, or /user/index.php — a hallmark of CVE-2021-45467 exploitation attempts
  • Look for HTTP GET requests containing 'api=1' combined with 'scripts=' and multiple '%00' sequences in the URL path — these indicate directory traversal attempts to reach /etc/passwd or arbitrary API endpoints
  • Fingerprint vulnerable CWP instances using the favicon icon hash -356182173 (FOFA/Shodan) to identify exposed attack surface before exploitation
  • A successful LFI exploitation response will contain 'root:.*:0:0:' in the body (contents of /etc/passwd), confirming file read via null-byte path traversal
  • Identify CWP panels by checking HTTP response body for the strings 'control webpanel' or 'cwp | user' (case-insensitive)
  • ·The vulnerability affects CWP versions before 0.9.8.1107 only; patched versions are not susceptible to null-byte injection via the 'scripts' parameter
  • ·The Nuclei template uses a two-step flow: first confirming the target is a CWP instance via favicon hash or page content, then sending the traversal payload — single-step detections may produce false positives on non-CWP servers

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.