Threat actors exploit a known vulnerability in the Control Web Panel (CWP) to launch reverse shells and execute malicious code remotely.
Researcher Numan Türle of Gais Cyber Security posted a video on YouTube showing how the vulnerability could be exploited. Three days later, researchers observed an increase in abuse of the vulnerability, which is tracked as CVE-2022-44877 and has a severity rating of 9.8/10 – critical.
The patch for the abused vulnerability was published in late October 2022, but since a security researcher published a proof of concept (PoC), hackers have picked up the pace.
The potential attack surface is quite large. CloudSek, which analyzed PoC, claims that searching for CWP servers on Shodan brings back more than 400,000 instances accessible via the Internet. While not all of them are obviously vulnerable, this shows that the flaw has quite a destructive potential. Moreover, Shadowserver Foundation researchers claim that there are approximately 38,000 instances of CWP every day.
Endpoints (opens in a new tab) that are really vulnerable are being used to create an interactive terminal, researchers say. By running a reverse shell, hackers would convert the encoded payloads into Python commands that would reach the attacker’s devices and create a terminal with the Python module pty. However, not all hackers are that fast – some just scan for vulnerable machines, possibly to prepare for future attacks, researchers speculate.
The worst thing about exploiting CVE-2022-44877 in attacks is that it became very easy, especially after the exploit code was made public. All the hackers have to do now is find vulnerable targets, which the publication says is “a secondary task.”
CWP version 0.9.8.1147, which addresses this issue, was released on October 25, 2022. IT administrators are requested to apply this fix, or better yet, update the CWP to the current version 0.9.8.1148, released in early December.
Through: Beeping Computer (opens in a new tab)