The newly fixed severe vulnerability in Control Web Panel (CWP), a server management tool formerly known as CentOS Web Panel, is actively used by hackers. The security flaw, known as CVE-2022-44877, has a severity rating of 9.8 out of 10. It enables remote code execution without authentication by an attacker.
The problem was detected around October of last year. On January 3, researcher Numan Türle of Gais Cyber Security produced a proof-of-concept (PoC) hack and a video demonstrating how it operates. Security experts discovered hackers using the issue three days later to access unpatched systems remotely and find other susceptible workstations.
On October 25, 2022, CWP version 0.9.8.1147 was published to address CVE-2022-44877, a problem that existed in earlier iterations of the panel. CloudSek, which searched CWP servers on the Shodan platform and discovered more than 400,000 CWP instances reachable over the internet, has a technical study of the PoC exploit code available.
Researchers at the Shadowserver Foundation who saw the vulnerability being exploited indicate that 38,000 CWP instances are detected daily in their scans. This number represents the platform’s population rather than the population of susceptible machines. Attackers are locating vulnerable sites and using CVE-2022-44877 to their advantage to launch a terminal and communicate with the system, according to malicious behavior captured by Shadowserver and shared with the media.
In certain cyberattacks, the exploit is being used by the hackers to launch a reverse shell. The encoded payloads translate into Python commands that use the Python pty Module to call the attacker’s system and spawn a terminal on the vulnerable host. Other cyberattacks only sought to locate weak computer targets. It is unknown if threat actors or researchers are doing these scans to identify computers they can subsequently compromise. All of these exploitation efforts appear to be based on Numan Türle’s initial public PoC, which has been significantly tweaked to meet the attacker’s demands.
The research firm GreyNoise also noted many attacks on unpatched CWP hosts coming from IP addresses in the Netherlands, the United States, and Thailand. Leveraging CVE-2022-44877 is simple, and because the exploit code is already available, all that is required of hackers is the tedious work of finding susceptible targets. Administrators need to act immediately and upgrade CWP to the most recent version, which is 0.9.8.1148, as of December 1, 2022.