Security News > 2022 > January > Linux Servers at Risk of RCE Due to Critical CWP Bugs

Researchers have discovered two critical bugs in Control Web Panel - a popular web hosting management software used by 200K+ servers - that could allow for remote code execution as root on vulnerable Linux servers.
CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments.
The software supports the operating systems CentOS, Rocky Linux, Alma Linux and Oracle Linux.
In order to exploit the vulnerability, inject malicious code from a remote resource and execute code execution, an attacker would simply need to alter the include statement, which is used to insert the content of one PHP file into another PHP file before the server executes it.
To do so requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication: a feat that can be accomplished by registering an API key using the file inclusion bug and creating a malicious authorized keys file on the server using the file write flaw.
Octagon will be be releasing a full proof of concept for achieving the preauth RCE "Once enough servers migrate to the latest version," according to the report.
News URL
https://threatpost.com/linux-servers-rce-critical-cwp-bugs/177906/
Related news
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- Critical AMI MegaRAC bug can let attackers hijack, brick servers (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)