Control Web Panel OS Command Injection Exploitation Increases After POC Release

Threat Level

Vulnerability Report

For a detailed threat advisory, download the pdf file here

Summary

On January 3, 2023, a security researcher published a proof-of-concept exploit for a vulnerability in Control Web Panel (CWP) that allows unauthenticated remote code execution. By January 6, the vulnerability was being actively exploited in the wild. The vulnerability is caused by the ability for attackers to execute bash commands when incorrect entries are logged to the system using double quotes. This allows them to remotely execute any operating system command via shell metacharacters in the login parameter (login/index.php).