Control Web Panel - Remote Code Execution
A remote code execution (RCE) pre-authentication vulnerability has been discovered for the widely used web hosting platform, Control Web Panel (CWP). CWP, formerly known as CentOS Web Panel, is a free-to-use, Linux web hosting control panel, designed for quick and easy management of servers.
This vulnerability was first coined on 30th July,2022 due to which attackers can remotely hack servers. It was caused by an issue in the /login/index.php components of CentOS. An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests. In order to exploit the vulnerability, all an attacker has to do is to send a malicious HTTP request to an affected server.
Proof of Concept was released recently on 5th January by Turkish security engineer, Numan Turle. As per POC the recommended solution is to upgrade CWE to the latest version.
It allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.
Attackers can gain full control over a compromised machine.