The US government’s cybersecurity agency CISA is giving federal agencies an early February deadline to patch a critical — and already exploited — security vulnerability in the widely used CentOS Control Web Panel utility.
The agency added the CVE-2022-44877 flaw to its KEV (Known Exploited Vulnerabilities) catalog and set a February 7th deadline for federal agencies to test and deploy an available fix.
Security researchers warned earlier this month that the publication of proof-of-concept code and a YouTube video demonstration would lead to live attacks. Soon after, threat-hunting outfits GreyNoise and Shadowserver spotted signs of exploitation in the wild.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA warned in a note posted alongside the catalog update.
The CWP Control Web Panel utility, previously known as CentOS Web Panel, is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients.
The bug is described as an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.
The vulnerability has a CVSS severity score of 9.8/10 and is considered trivial to exploit.
Patches for the CVE-2022-44877 were included in CWP7 version 0.9.8.1147. CWP users are advised to update to this or a newer version of the management panel as soon as possible.
Related: Cisco Confirms In-the-Wild Exploitation of Two VPN Flaws
Related: Apple Warns of macOS Kernel Zero-Day Exploitation
Related: Atlassian: Expect Confluence App Exploitation After Password Leak
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
- IBM Snaps up DSPM Startup Polar Security
- Huntress Closes $60M Series C for MDR Expansion
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
