Hackers target and exploit major Control Web Panel security flaw

Security attack
(Image credit: Shutterstock / ozrimoz)

Threat actors are abusing a known vulnerability in Control Web Panel (CWP) to start reverse shells and execute malicious code remotely.

Researcher Numan Türle from Gais Cyber Security released a YouTube video showing how the vulnerability can be exploited. Three days later, researchers observed an uptick in the abuse of the flaw, which is tracked as CVE-2022-44877, and carries a severity score of 9.8/10 - critical.

The fix for the vulnerability being abused was released in late October 2022, but ever since a security researcher published a proof-of-concept (PoC), hackers picked up the pace.

Reverse shell

The potential attack surface is quite large. CloudSek, which analyzed the PoC, says running a search for CWP servers on Shodan brings back more than 400,000 internet-accessible instances. While not all of those are obviously vulnerable, it shows that the flaw has quite the destructive potential. Furthermore, Shadowserver Foundation’s researchers claim some 38,000 CWP instances pop up every day. 

Endpoints that really are vulnerable are being exploited to spawn an interaction terminal, researchers say. Starting a reverse shell, hackers would convert encoded payloads to Python commands which would reach out to the attacker’s devices and spawn a terminal with the Python pty Module. However, not all hackers are that fast - some are just scanning for vulnerable machines, possibly to prepare for future attacks, researchers speculate. 

The worst thing about abusing CVE-2022-44877 in attacks is that it has gotten super easy, especially after the exploit code was made public. All hackers have to do now is find vulnerable targets which, according to the publication, is a “menial task”. 

CWP version 0.9.8.1147, which addresses this issue, was released on October 25, 2022. IT admins are urged to apply this fix, or even better - update CWP to the current version of 0.9.8.1148, published in early December. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
The best free firewall
Palo Alto Networks PAN-OS sees authentication bypass under attack from hackers
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Veeam backup software has a serious security flaw - here's how to stay safe
The best free firewall
Palo Alto warns another major firewall hack has been detected
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
Latest in Security
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead