Hackers use Control Web Panel flaws to reverse-shock shells

Hackers exploit a critical vulnerability in Control Web Panel (CWP), a web-based tool that manages servers. This was previously known as CentOS Web Panel.

The issue has been identified as . It received a 9.8-out of 10 critical severity score. This allows attackers to remotely execute code without authentication.

Accessible code for exploit

The issue was reported by around October. Gais Cyber Security published the proof-of-concept exploit (PoC), along with a video.

[embedded content]

Security researchers discovered that hackers were exploiting this flaw three days later to gain remote access to unpatched system and find other vulnerable computers.

CWP has been released October 25, 2022 to fix CVE-2022-444877 that affected previous versions.

CloudSek has provided a technical analysis of PoC’s exploit code. They searched Shodan for CWP servers and discovered more than 400,000 CWP instances that could be accessed over the Internet.

Control Web Panel (CentOS Web Panel) instances on the internet

source: CloudSek

Researchers from the noticed that the vulnerability was being exploited daily.

The population not seen on the platform is included in this number, but it does not include vulnerable machines.

Control Web Panel instances in daily Shadowserver scans

source: The Shadowserver Foundation

recorded malicious activity and shared it with BleepingComputer showed that attackers find vulnerable hosts and exploit CVE-2022-444877 to create a terminal.

Hackers may use the exploit in some cases to launch a reverse shell. Encoded payloads are converted to Python commands which call the attacker’s computer and create a terminal on the host vulnerable using the Python module.

Others attacks targeted vulnerable computers. These scans may be conducted by threat actors or researchers looking for machines to break at a later time.

All these exploit attempts seem to be based on Numan Turle’s original PoC, modified slightly by the attacker.

The research company observed multiple attacks against unpatched CWP host IP addresses from the United States and Thailand.

It is simple to leverage CVE-2022-447877. With the exploit code available, hackers only need to find vulnerable targets.

Administrators are advised to immediately update CWP with the version, which is currently and was released December 1, 2022.