Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Exploited Control Web Panel Flaw Added to CISA ‘Must-Patch’ List

CISA gave federal agencies a February deadline to patch a critical vulnerability in the CentOS Control Web Panel utility.

The US government’s cybersecurity agency CISA is giving federal agencies an early February deadline to patch a critical — and already exploited — security vulnerability in the widely used CentOS Control Web Panel utility.

The agency added the CVE-2022-44877 flaw to its KEV (Known Exploited Vulnerabilities) catalog and set a February 7th deadline for federal agencies to test and deploy an available fix.

Security researchers warned earlier this month that the publication of proof-of-concept code and a YouTube video demonstration would lead to live attacks.  Soon after, threat-hunting outfits GreyNoise and Shadowserver spotted signs of exploitation in the wild. 

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA warned in a note posted alongside the catalog update.

The CWP Control Web Panel utility, previously known as CentOS Web Panel, is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients.

The bug is described as an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.

The vulnerability has a CVSS severity score of 9.8/10 and is considered trivial to exploit.

Advertisement. Scroll to continue reading.

Patches for the CVE-2022-44877 were included in CWP7 version CWP users are advised to update to this or a newer version of the management panel as soon as possible.

Related: Cisco Confirms In-the-Wild Exploitation of Two VPN Flaws

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Related: Atlassian: Expect Confluence App Exploitation After Password Leak

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.