Threat actors are abusing a known vulnerability in the Control Web Panel (CWP) to launch a reverse shell and execute malicious code remotely.
Numan Türle, a researcher at Gais Cyber Security, posted a YouTube video showing how the vulnerability can be exploited. Three days later, the researchers observed an uptick in abuse of the vulnerability, which is tracked as CVE-2022-44877 and has a severity score of 9.8/10 – Critical.
A fix for the abused vulnerability was released in late October 2022, but hackers have picked up the pace since security researchers released a proof-of-concept (PoC).
The potential attack surface is very large. CloudSek, who analyzed the PoC, said a search for CWP servers on Shodan returned more than 400,000 instances that were reachable over the internet. While not all of them are clearly vulnerable, it shows that the flaw has considerable destructive potential. Additionally, researchers at the Shadowserver Foundation claim that approximately 38,000 instances of CWP pop up per day.
endpoint (opens in a new tab) Those who are truly vulnerable are being exploited to generate an interactive endpoint, the researchers said. Launching a reverse shell, the hacker converts the encoded payload into Python commands that reach the attacker’s device and spawn a terminal with the Python pty module. However, not all hackers were so quick — the researchers speculate that some were simply scanning for vulnerable machines, possibly in preparation for future attacks.
The worst thing about abusing CVE-2022-44877 in an attack is that it has become super easy, especially after the exploit code became public. All hackers have to do now is find vulnerable targets, which according to the publication is a “trivial task.”
CWP version 0.9.8.1147, which resolves this issue, was released on October 25, 2022. IT admins are urged to apply this fix, or even better — update CWP to the current version 0.9.8.1148 released in early December.
pass: Beep computer (opens in a new tab)