Two security vulnerabilities that impact the Control Web Panel (CWP) software can be chained by unauthenticated attackers to gain remote code execution (RCE) as root on vulnerable Linux servers.
CWP, previously known as
CentOS Web Panel, is a free Linux control panel for managing dedicated web hosting servers and virtual private servers.
The two security flaws found by Octagon Networks'
Paulos Yibelo are a file inclusion vulnerability (CVE-2021-45467) and a file write (CVE-2021-45466) bug that lead to RCE when chained together.
In short, successful exploitation requires bypassing security protections to prevent attackers from reaching the restricted API section without authentication.
This can be done by registering an API key using the file inclusion bug and creating a malicious authorized_keys file on the server using the file write flaw.
While the CVE-2021-45467 file inclusion vulnerability was patched, Octagon Networks says that they saw how "some managed to reverse the patch and exploit some servers."
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
