Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Exploited Control Web Panel Flaw Added to CISA ‘Must-Patch’ List

CISA gave federal agencies a February deadline to patch a critical vulnerability in the CentOS Control Web Panel utility.

The US government’s cybersecurity agency CISA is giving federal agencies an early February deadline to patch a critical — and already exploited — security vulnerability in the widely used CentOS Control Web Panel utility.

The agency added the CVE-2022-44877 flaw to its KEV (Known Exploited Vulnerabilities) catalog and set a February 7th deadline for federal agencies to test and deploy an available fix.

Security researchers warned earlier this month that the publication of proof-of-concept code and a YouTube video demonstration would lead to live attacks.  Soon after, threat-hunting outfits GreyNoise and Shadowserver spotted signs of exploitation in the wild. 

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA warned in a note posted alongside the catalog update.

The CWP Control Web Panel utility, previously known as CentOS Web Panel, is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients.

The bug is described as an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.

The vulnerability has a CVSS severity score of 9.8/10 and is considered trivial to exploit.

Patches for the CVE-2022-44877 were included in CWP7 version 0.9.8.1147. CWP users are advised to update to this or a newer version of the management panel as soon as possible.

Advertisement. Scroll to continue reading.

Related: Cisco Confirms In-the-Wild Exploitation of Two VPN Flaws

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Related: Atlassian: Expect Confluence App Exploitation After Password Leak

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.