Threat actors are abusing a known vulnerability in Control Web Panel (CWP) to start reverse shells and execute malicious code remotely.
Researcher Numan Türle from Gais Cyber Security released a YouTube video showing how the vulnerability can be exploited. Three days later, researchers observed an uptick in the abuse of the flaw, which is tracked as CVE-2022-44877, and carries a severity score of 9.8/10 - critical.
The fix for the vulnerability being abused was released in late October 2022, but ever since a security researcher published a proof-of-concept (PoC), hackers picked up the pace.
Reverse shell
The potential attack surface is quite large. CloudSek, which analyzed the PoC, says running a search for CWP servers on Shodan brings back more than 400,000 internet-accessible instances. While not all of those are obviously vulnerable, it shows that the flaw has quite the destructive potential. Furthermore, Shadowserver Foundation’s researchers claim some 38,000 CWP instances pop up every day.
Endpoints that really are vulnerable are being exploited to spawn an interaction terminal, researchers say. Starting a reverse shell, hackers would convert encoded payloads to Python commands which would reach out to the attacker’s devices and spawn a terminal with the Python pty Module. However, not all hackers are that fast - some are just scanning for vulnerable machines, possibly to prepare for future attacks, researchers speculate.
The worst thing about abusing CVE-2022-44877 in attacks is that it has gotten super easy, especially after the exploit code was made public. All hackers have to do now is find vulnerable targets which, according to the publication, is a “menial task”.
CWP version 0.9.8.1147, which addresses this issue, was released on October 25, 2022. IT admins are urged to apply this fix, or even better - update CWP to the current version of 0.9.8.1148, published in early December.
- Here's our rundown of the best firewalls today
Via: BleepingComputer