Attackers are targeting a recently patched vulnerability in the CentOS Control Web Panel that allows remote unauthenticated code execution on vulnerable servers.
The bug has been public for several days and the researcher who discovered it has published exploit code for it, as well. The maintainers of CWP released a new version of the software to address the vulnerability, but because CWP is used as an interface for websites, it’s likely that many organizations haven’t updated just yet. CWP is a popular web interface for website hosting.
Researcher Numan Turle of Gais Security discovered the vulnerability (CVE-2022-44877) and reported it to Control Web Panel, which released an update in October. The details of the vulnerability emerged last week, along with a proof-of-concept exploit that Turle developed, and now attackers are beginning to exploit the bug.
On Wednesday, researchers at The Shadowserver Foundatiion, which tracks vulnerabilities, exploit attempts, and other Internet trends, reported seeing exploit attempts ramping up against the CWP flaw. And data from GreyNoise, which also tracks attack traffic, shows exploit attempts against this flaw, as well.
“We are seeing CVE-2022-44877 exploitation attempts for CWP (CentOS Web Panel/Control Web Panel) instances. This is an unauthenticated RCE. Exploitation is trivial and a PoC published. Exploitation first observed Jan 6th,” Shadowserver said on Twitter.
The vulnerability affects CWP7 versions lower than 0.9.8.1147 and lies in the way that the software handles some characters in the login command. It is simple to exploit and the availability of PoC exploit code increases the urgency to patch for affected organizations.