CVE-2021-45466: 
Control Web Panel vulnerability analysis and mitigation

In CWP (Control Web Panel, formerly known as CentOS Web Panel) versions before 0.9.8.1107, a critical vulnerability was identified where attackers could make crafted requests to api/?api=addserver&DHCP= to add an authorizedkeys text file in the /resources/ folder. This web hosting management software, used by over 200,000 servers, was discovered to contain this vulnerability in December 2021 (NVD, THN).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-863 (Incorrect Authorization). The vulnerability exists in unauthenticated PHP pages exposed in the webroot, specifically /user/loader.php and /user/index.php (NVD, Octagon).

When exploited, this vulnerability allows attackers to achieve pre-authenticated remote code execution (RCE) as root on affected Linux servers. The vulnerability affects the server's security by allowing unauthorized file writing capabilities, which could lead to complete system compromise (Threatpost).

The vulnerability has been patched in version 0.9.8.1107 and later releases. System administrators are strongly advised to upgrade their CWP installations to the latest version to prevent exploitation (CWP Changelog).