Getty Images
Malicious hackers have started exploiting a critical vulnerability in an unpatched version of Control Web Panel, a widely used interface in web hosting.
“This is an unauthenticated RCE,” wrote a member of the Shadowserver group on Twitter, using the acronym for remote code exploit. “Exploitation is trivial and a PoC has been published.” PoC refers to proof-of-concept code that exploits a vulnerability.
This vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October with version 0.9.8.1147. The advisory wasn’t made public until earlier this month, but some users may still be unaware of the threat.
According to figures provided by security firm GreyNoise, the attacks began on January 7 and have slowly increased since then, with the latest round continuing until Wednesday. The exploit originates from his four separate IP addresses located in the United States, the Netherlands, and Thailand, according to the company.
Shadowserver shows that there are about 38,000 IP addresses running control web panels. The largest concentration is in Europe, followed by North America and Asia.
CVE-2022-44877 has a severity rating of 9.8 out of 10. The vulnerability advisory states, “The system logs malformed entries using double quotes, allowing Bash commands to be executed.” As a result, an unauthenticated hacker could execute malicious commands during the login process. The following video shows the exploit flow.
Unauthenticated Remote Code Execution in Centos Web Panel 7 – CVE-2022-44877
According to Daily Swig, the vulnerability resided in the /login/index.php component and was caused by CWP using a flawed structure when logging erroneous entries. Here is the structure: echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log“The request URI is from the user and, as you can see, is enclosed in double quotes so that you can execute commands such as $(blabla), a bash feature,” Türle said in the publication. talking to things
Given the ease and severity of exploitation and the availability of valid exploit code, organizations using Control Web Panels should ensure they are running version 0.9.8.1147 or higher.
