CWP bugs allow code execution as root on Linux servers, patch now


Level 37
Thread author
Top Poster
Feb 4, 2016
Two security vulnerabilities that impact the Control Web Panel (CWP) software can be chained by unauthenticated attackers to gain remote code execution (RCE) as root on vulnerable Linux servers.
CWP, previously known as CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.

The two security flaws found by Octagon Networks' Paulos Yibelo are a file inclusion vulnerability (CVE-2021-45467) and a file write (CVE-2021-45466) bug that lead to RCE when chained together.
In short, successful exploitation requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication.

This can be done by registering an API key using the file inclusion bug and creating a malicious authorized_keys file on the server using the file write flaw.
While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how "some managed to reverse the patch and exploit some servers."

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.