Threat actors are taking advantage of a known vulnerability in the Control Web Panel (CWP) to start a reverse shell and execute malicious code remotely.
Researcher Numan Türle from Gais Cyber Security released a YouTube video showing how the vulnerability can be exploited. Three days later, researchers observed an increase in abuse of the vulnerability, tracked as CVE-2022-44877 and with a severity score of 9.8/10 – critical.
The fix for the abused vulnerability was released at the end of October 2022, but since a security researcher published the proof of concept (PoC), hackers have picked up the pace.
Reversible shell
The potential attack surface is quite large. CloudSek, the company that analyzed the PoC, says that running a search for CWP servers on Shodan yields more than 400,000 internet-accessible instances. While not all of them are vulnerable, it shows that the vulnerability is quite destructive. Furthermore, Shadowserver Foundation researchers claim about 38,000 CWP instances appear every day.
final point (opens in a new tab) The really vulnerable are being exploited to create an interactive terminal, the researchers say. Starting a reverse shell, the hacker will convert the encrypted payloads into Python commands that will reach the attacker’s devices and spawn a terminal with the Python pty Module. However, not all hackers are so fast – some are just scanning vulnerable machines, possibly in preparation for future attacks, the researchers speculate.
The worst thing about abusing CVE-2022-44877 in attacks is that it becomes extremely easy, especially after the exploit code is made public. All hackers have to do now is find vulnerable targets, which, according to the publication, is a “trivial task”.
CWP version 0.9.8.1147, which resolves this issue, was released on October 25, 2022. IT admins should apply this fix or even better – update CWP to version 0.9. 8.1148 current, published in early December.
Via: BleepingComputer (opens in a new tab)
