Security News > 2022 > January > CWP bugs allow code execution as root on Linux servers, patch now
Two security vulnerabilities that impact the Control Web Panel software can be chained by unauthenticated attackers to gain remote code execution as root on vulnerable Linux servers.
CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.
While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how "Some managed to reverse the patch and exploit some servers."
Octagon Networks says that, while the CVE-2021-45467 file inclusion vulnerability was patched, they saw how "Some managed to reverse the patch and exploit some servers."
The security researchers also said they would release a proof-of-concept exploit for this pre-auth RCE chain after enough Linux servers running CWP will get upgraded to the latest version.
While the CWP site claims that roughly 30,000 servers are running CWP, BleepingComputer found almost 80,000 Internet-exposed CWP servers on BinaryEdge.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-26 | CVE-2021-45467 | Unspecified vulnerability in Control-Webpanel Webpanel In CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1107, an unauthenticated attacker can use %00 bytes to cause /user/loader.php to register an arbitrary API key, as demonstrated by a /user/loader.php?api=1&scripts= .%00./.%00./api/account_new_create&acc=guadaapi URI. | 9.8 |