The popular and free Control Web Panel software has a significant security flaw that has already been exploited, according to the US government’s cybersecurity agency CISA, which has given federal agencies until the beginning of February to fix it.
CISA added the CVE-2022-44877 vulnerability to its KEV (Known Exploited Vulnerabilities) library and gave federal entities until February 7 to test and implement the patch.
Security professionals predicted earlier this month that the publication of proof-of-concept code and a YouTube video presentation would lead to actual exploits. Threat hunters immediately discovered signs of exploitation in the wild.
This vulnerability, according to CISA, “poses a significant risk to the government organization and is a common attack vector for rogue cyber actors.”
The CWP Control Web Panel utility is a popular web hosting panel for Linux systems. The flaw falls into the category of an OS command injection vulnerability which allows remote attackers to execute commands in the login stage.
The vulnerability has a CVSS severity score of 9.8/10 and does not take extensive skill to exploit. The flaw, identified as CVE-2022-44877, scored a critical severity score of 9.8 out of 10.
On January 3, researcher Numan Türle at Gais Cyber Security, who had reported the issue last year, published a proof-of-concept (POC) exploit and a YouTube video showing how it works. The bug was uncovered last year during zero-day research performed on third-party applications used by clients of the company he worked at, Gais Security.
Linux admins are advised to take immediate action and update CWP to the latest version.
