CVE-2022-25048: 
Control Web Panel vulnerability analysis and mitigation

Command injection vulnerability discovered in Control Web Panel (CWP) v0.9.8.1126 allows normal users to execute commands with root privileges. The vulnerability was identified and responsibly disclosed by Immersive Labs researchers in early 2022, receiving the identifier CVE-2022-25048. CWP is a shared hosting platform designed for CentOS servers, used by approximately 185,000 active servers (Immersive Labs Blog).

The vulnerability stems from instances where input data from standard users is used to create shell commands that are then executed in the context of the root account. This security flaw allows any standard user account to run commands with root privileges, effectively bypassing the intended access control mechanisms (Immersive Labs Blog, GitHub POC).

With approximately 185,000 active CWP servers online, each hosting between 10 and 100 websites, the vulnerability potentially affected millions of individual websites. Attackers exploiting this vulnerability at scale could have infected millions of websites with credential harvesting malware or targeted payment portals to intercept banking details. The vulnerability primarily impacted personal and small business accounts rather than large enterprises (Immersive Labs Blog).

All reported vulnerabilities have been patched by the CWP team. The system's default configuration includes automatic updates at regular frequencies, meaning that all CWP instances should be fully patched unless updates have been forcibly disabled. Users can verify their installed version by SSH-ing onto the target server and running the command 'cat /path to version.php' (Immersive Labs Blog).

The CWP development team responded quickly to the vulnerability disclosure and worked collaboratively with researchers to patch and test all fixes. As appreciation for the responsible disclosure, CWP made a donation to Save the Children in support of Ukraine at the researchers' request (Immersive Labs Blog).