CVE-2022-44877
Published: 05 January 2023
Summary
CVE-2022-44877 is a critical-severity OS Command Injection (CWE-78) vulnerability in Control-Webpanel Webpanel. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-44877 is a command injection vulnerability in the login/index.php endpoint of Control Web Panel (CWP, also known as CentOS Web Panel) version 7 prior to 0.9.8.1147. The flaw, tracked as CWE-78, permits unsanitized shell metacharacters supplied in the login parameter to be passed to operating system commands, and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible, unauthenticated exploitation with high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can submit crafted POST requests to the affected login page and obtain arbitrary operating-system command execution on the underlying server. Successful exploitation grants attackers the ability to run any command permitted by the web-server process privileges, typically resulting in full system compromise without requiring prior authentication or user interaction.
Public exploit code and technical write-ups have been posted to Packet Storm, Full Disclosure, and GitHub, confirming that working remote-code-execution payloads are readily available. The CVE’s EPSS score has reached a peak of 0.9751 and currently stands at 0.9446, indicating sustained and substantial exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-47807
Vulnerability details
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
- CWE(s)
- KEV Date Added
- 17 January 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks shell metacharacters in the unauthenticated login parameter before OS command execution can occur.
Requires prompt application of the vendor patch that eliminates the command-injection flaw in login/index.php.
Enables monitoring of web-server processes and command execution to identify exploitation attempts against the vulnerable endpoint.