The Indian Cyber Emergency Response Team (CERT-IN) has issued an alert on a critical vulnerability in Control Web Panel (CWP), the popular free web hosting control panel.
CWP, formerly known as CentOS Web Panel, is a commonly used server administration tool for Linux systems in enterprise environments.
Code-named CIVN-2023-0019, the remote code execution vulnerability in Control Web Panel comes with the severity rating critical. It affects the Control Web Panel or CentOS Web Panel software before 0.9.8.1147.
“This vulnerability exists in Control Web Panel 7 due to flaw in the /login/index.php component. A remote unauthenticated attacker could exploit this vulnerability by executing arbitrary OS commands via shell meta characters in the login parameter,” said the CERT-IN note.
“The vulnerability is being actively exploited in the wild,” it added.
Control Web Panel and bugs
The latest alert follows a similar alert by the National Institute of Standards and Technology, indicating that cybercriminals are trying to take advantage of a similar vulnerability in CWP that has recently been fixed.
The vulnerability, identified as CVE-2022-44877 and rated with a CVSS score of 9.8, grants elevated privileges and allows unauthenticated remote code execution on affected servers.
According to the National Institute of Standards and Technology, the vulnerability is located in the “login/index.php” file and can be exploited by inputting shell metacharacters in the login parameter.
In January 2022, two critical issues that could have been used for pre-authenticated remote code execution were identified in the hosting panel.
Vulnerability and patch issue
Despite timely alerts, users often lag in patching their systems.
Microsoft had issued an alert on CVE-2022-37958 in December, clearly mentioning that the bug patched in September was still wormable.
A spot survey by The Cyber Express among its registered readers found that many are unaware of the bug.
A random survey among 32 CISO leaders across geographies working in organizations across sectors showed that only 17% initiated the patch, that too after the alert in December.
An astonishing 43% is yet to ensure a complete update of their systems.