CVE-2022-25047: 
Control Web Panel vulnerability analysis and mitigation

The vulnerability (CVE-2022-25047) affects Control Web Panel (CWP) v0.9.8.1126, where the password reset token is generated using known or predictable values. This vulnerability was discovered and responsibly disclosed by Immersive Labs researchers in early 2022. CWP is a shared hosting platform built to run on CentOS servers, with approximately 185,000 active servers potentially impacting millions of websites (Immersive Labs Blog).

The vulnerability exists in the password reset functionality where the token generation process uses predictable elements. The reset token can be calculated if an attacker knows the email address and username of any given user. When a password reset is triggered, the server response contains the date and time of the request, which matches the date used to generate the reset token (Immersive Labs Blog).

This vulnerability allows attackers to take over user accounts by bypassing the password reset process without requiring access to the target's email account. With hundreds of thousands of active CWP servers online, each hosting between 10 and 100 websites, millions of websites could potentially be affected. Attackers could use compromised accounts to inject credential harvesting malware or target payment portals (Immersive Labs Blog).

The vulnerability has been patched by the CWP team. CWP implements an automatic update process that includes forced expiry of instances that aren't kept up to date. All vulnerable versions have now passed their forced expiry date. Users should ensure their CWP installations are updated to the latest version (Immersive Labs Blog).