Hackers are actively exploiting a critical vulnerability in Control Web Panel (CWP), a tool for managing servers. The vulnerability, identified as CVE-2022-44877, allows an attacker to execute code remotely without authentication and has a severity score of 9.8 out of 10.
The issue was reported in October 2022 and the exploit code was made publicly available on January 3, 2023, by researcher Numan Türle from Gais Cyber Security.
Within three days of the exploit code being made available, security researchers observed hackers exploiting the flaw to gain remote access to unpatched systems and to find more vulnerable machines.
The vulnerability affects previous versions of the panel, and version 0.9.8.1147 was released on October 25, 2023, to address the issue.
According to CloudSek, a search for CWP servers on the Shodan platform found over 400,000 CWP instances accessible over the internet. The Shadowserver Foundation has also observed exploitation of the vulnerability and estimates that around 38,000 CWP instances are seen every day by their scans.
Hackers are using the exploit to start a reverse shell and to execute malicious code remotely. In some cases, the exploit is being used to identify vulnerable machines for future attacks.
The exploit attempts are based on the original public PoC from Numan Türle and have been slightly modified to suit the attacker’s needs.
Administrators are advised to take immediate action and update CWP to the latest version available, currently 0.9.8.1148, which was released on December 1, 2022.
With exploit code readily available, it is easy for hackers to find and exploit vulnerable targets, making it crucial for administrators to ensure their systems are patched and secure.