CVE-2022-44877, critical RCE in CentOS Control Web Panel exploited in the wild: everything you need to know

Detect and mitigate CVE-2022-44877, a CentOS Control Web Panel (CWP) unauthenticated RCE exploited in the wild. Security teams are advised to patch urgently.

1 minutes read

CVE-2022-44877, a critical RCE vulnerability in Control Web Panel 7 (also known as CentOS Web Panel), has been reportedly exploited in the wild. The vulnerability could allow an unauthenticated attacker to escalate privileges and execute code remotely on susceptible servers. Although the vulnerability was published and assigned a CVE on January 6, a fix has been available since October 25, 2022. It was assigned a CVSS score of 9.8.

Exploitation attempts reportedly began around January 6, closely following the publication of a public proof of concept.

What is CVE-2022-44877? 

In unpatched versions of CWP, there is a flaw that allows the execution of Bash commands if double quotation marks are used when logging incorrect entries into the system. This flaw could enable an attacker to execute commands remotely on a machine running a vulnerable version of CWP, with the same privilege level as CWP, which in many cases is root by default. This is the third critical vulnerability in CWP published in the past 30 days, along with CVE-2021-45467 and CVE-2021-45466.

Wiz Research data: what is the risk to cloud environments?

According to Wiz data, CWP is not prevalent in cloud environments and therefore there is a lower risk of CVE-2022-44877 exploitation in such environmets.

What sort of exploitation has been identified in the wild?

Since the publication of the proof of concept on January 6, mass exploitation attempts have been observed in the wild.

Indicators of compromise

Researchers observed the following IP addresses in attempted exploitations: 

  • 206.189.170.136 

  • 185.117.73.208

  • 157.230.62.113 

  • 180.183.132.35 

Which products are affected?

Versions of CentOS Control Web Panel prior to version 0.9.8.1147

Which actions should security teams take?

It is highly recommended to update instances of CWP to the patched version 0.9.8.1147, or later. In addition, monitor if your environments have been accessed by any above known malicious IP address.

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.

References 

Secure everything you build and run in the cloud

Organizations of all sizes and industries use Wiz to rapidly identify and remove the most critical risks in AWS, Azure, GCP, OCI, and Kubernetes so they can build faster and more securely.

Continue reading

Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident

Learn how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident

Wiz launches Australia cloud data center further demonstrating commitment to ANZ and multinational organizations

Wiz announces availability of new regional data center and adds support for Essential Eight controls.

New Year’s Resolutions: Where CISOs plan to invest and scale back in 2023

Hear from security leaders about their plans, strategies, and priorities for the new year.