Malicious hackers have started to exploit a critical vulnerability in unpatched versions of the Control Web Panel, a widely used web hosting interface.
“This is an unauthenticated RCE,” members of the Shadowserver group wrote on Twitter, using the acronym for Remote Code Exploit. “Exploitation is trivial and a PoC is published.” PoC refers to proof-of-concept code that exploits the vulnerability.
The vulnerability is tracked as CVE-2022-44877. It was discovered by Numan Türle of Gais Cyber Security and patched in October in version 0.9.8.1147. advices however, was only released earlier this month, making it likely that some users are still unaware of the threat.
Figures from the security company GreyNoise show These attacks began on January 7th and have slowly increased since then, with the latest round lasting through Wednesday. The company said the exploits came from four different IP addresses in the US, the Netherlands and Thailand.
shadow server shows that there are approximately 38,000 IP addresses running Control Web Panel, with the highest concentration in Europe, followed by North America and Asia.
The severity rating for CVE-2022-44877 is 9.8 out of a possible 10. “Bash commands can be executed because double quotes are used to log incorrect entries in the system,” the vulnerability states. As a result, unauthenticated hackers can run malicious commands during the login process. The following video shows the exploit process.
The vulnerability resides in the /login/index.php component and resulted from CWP using an incorrect structure when logging incorrect entries. after the daily sip. The structure is:
echo "incorrect entry, IP address, HTTP_REQUEST_URI" >> /blabla/wrong.log. “Since the request URI comes from the user and as you can see it’s in double quotes, it’s possible to run commands like $(blabla) which is a bash function,” Türle told the publication.
Given the ease and severity of exploitation and the availability of working exploit code, organizations using the Control Web Panel should ensure they are running version 0.9.8.1147 or later.
This article was previously published on Source link