Control Web Panel, also known as CentOS Web Panel, is an administration tool designed for Linux operating systems used by web hosting companies and system administrators.



This software is installed on over 200,000 different servers worldwide. Recently, hackers have been exploiting a previously patched vulnerability in the system, which has a severity score of 9.8 and can be tracked as CVE-2022-44877, at around the same time as last year's similar incident.

It seems that the start of a new year is a particularly vulnerable time for Control Web Panel. The vulnerability in question affects all versions of the software up to version 0.9.8.1147 and was spotted and patched by Numan Türle of Gais Security. However, according to the National Vulnerability Database (NVD), login/index.php in CWP 7 before 0.9.8.1147 still allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

According to the Shadowserver Foundation and GreyNoise, this weakness was once again exploited in January of 2023, when a proof-of-concept (PoC) became available. It was found that the installation was being hosted with the 'root' privilege, which is comparable to Windows' 'Administrator' capability. Therefore, it is highly recommended for users to update to the latest version to avoid cyber-attacks.

CWP version 0.9.8.1147 released in October last year resolved CVE-2022-44877. However, despite this patch, Shadowserver Foundation discovered that approximately 38,000 CWP instances are scanned every day, but not all of them are vulnerable. As per experts' analysis, attackers modified the publicly available exploit to suit their needs and mainly utilize the vulnerability to create reverse shells. The majority of these attacks originate from IP addresses located in the United States, Thailand, and the Netherlands.