Security News > 2022 > January > CWP bugs allow code execution as root on Linux servers, patch now

CWP bugs allow code execution as root on Linux servers, patch now
2022-01-24 19:34

Two security vulnerabilities that impact the Control Web Panel software can be chained by unauthenticated attackers to gain remote code execution as root on vulnerable Linux servers.

CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.

While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how "Some managed to reverse the patch and exploit some servers."

Octagon Networks says that, while the CVE-2021-45467 file inclusion vulnerability was patched, they saw how "Some managed to reverse the patch and exploit some servers."

The security researchers also said they would release a proof-of-concept exploit for this pre-auth RCE chain after enough Linux servers running CWP will get upgraded to the latest version.

While the CWP site claims that roughly 30,000 servers are running CWP, BleepingComputer found almost 80,000 Internet-exposed CWP servers on BinaryEdge.


News URL

https://www.bleepingcomputer.com/news/security/cwp-bugs-allow-code-execution-as-root-on-linux-servers-patch-now/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-12-26 CVE-2021-45467 Unspecified vulnerability in Control-Webpanel Webpanel
In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI.
network
low complexity
control-webpanel
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232