The security flaw allows privilege escalation and arbitrary code execution.
The security flaw is tracked as CVE-2022-44877 and has a CVSS score of 9.8. The bug affects all CWP versions up to 0.9.8.1147 and was fixed by the developers on October 25, 2022.
Control Web Panel (formerly known as CentOS Web Panel) is a popular server administration tool for corporate Linux systems.
"The login/index.php file in CWP versions prior to 0.9.8.1147 allows remote attackers to execute arbitrary commands using metacharacters in login parameters," according to NIST.
The vulnerability was discovered by Gais Security specialist Newman Turl, and its active exploitation began on January 6, 2023, immediately after the PoC hit the network.
Hackers are trying to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that allows privilege escalation and arbitrary code execution on affected servers.
GreyNoise reported that it was able to fix four unique IP addresses trying to use CVE-2022-44877. Two of them are in the US and one each in the Netherlands and Thailand.