Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-44877
CVE-2022-44877:
Control Web Panel vulnerability analysis and mitigation
Overview
CVE-2022-44877 is a critical remote code execution vulnerability affecting Control Web Panel (CWP, formerly known as CentOS Web Panel) 7 versions prior to 0.9.8.1147. The vulnerability was discovered by security researcher Numan Türle and was assigned a CVSS score of 9.8. The flaw exists in the login/index.php component, which allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter (Rapid7 Blog, Wiz Blog).
Technical details
The vulnerability arises from a condition where bash commands can be executed when double quotes are used to log incorrect entries into the system. The flaw specifically exists in the login/index.php file, where attackers can inject shell metacharacters through the login parameter. The vulnerability allows unauthenticated attackers to execute commands remotely on a machine running a vulnerable version of CWP, with the same privilege level as CWP, which in many cases is root by default (Wiz Blog, Full Disclosure).
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary operating system commands without authentication. Given that CWP often runs with root privileges, attackers can potentially gain complete control over the affected system. According to Shadowserver's dashboard, tens of thousands of CWP instances were exposed on the internet, making this a significant security risk (Rapid7 Blog).
Mitigation and workarounds
The primary mitigation is to upgrade Control Web Panel to version 0.9.8.1147 or later. The vulnerability was fixed in an October 2022 release of CWP. Organizations running CWP should immediately update their installations to the patched version to prevent exploitation (Rapid7 Blog).
Community reactions
The security community responded quickly to the vulnerability, with multiple security firms and researchers publishing analyses and warnings. Shadowserver reported exploitation in the wild on January 6, 2023, and security researchers observed attack attempts originating from multiple countries including the Netherlands, the United States, and Thailand (Wiz Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management