Control Web Panel OS Command Injection Exploitation Increases After POC Release
Control Web Panel OS Command Injection Exploitation Increases After POC Release
Threat Level
Vulnerability Report
For a detailed threat advisory, download the pdf file here
Summary
On January 3, 2023, a security researcher published a proof-of-concept exploit for a vulnerability in Control Web Panel (CWP) that allows unauthenticated remote code execution. By January 6, the vulnerability was being actively exploited in the wild. The vulnerability is caused by the ability for attackers to execute bash commands when incorrect entries are logged to the system using double quotes. This allows them to remotely execute any operating system command via shell metacharacters in the login parameter (login/index.php).