Control Web Panel bugs cause remote code execution in Linux servers

Threat Level – Amber | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

Control Web Panel (CWP) has two vulnerabilities that affect approximately 200k servers that, when combined, could allow an attacker to gain unauthenticated remote code execution (RCE) as root on susceptible Linux servers.

The first is a file inclusion vulnerability (CVE-2021-45467), which lets an attacker to use a malicious API key to deliver a null byte powered file inclusion payload, and the second is a file write vulnerability (CVE-2021-45466), which when chained with the first one allows an attacker to write to a file using an API key.

An unauthenticated attacker can take advantage of these vulnerabilities by changing the include statement, which is used to insert script from one PHP file into another before the server runs it. The actual problem exists when two of the application’s unauthenticated PHP pages, “/user/login.php” and “/user/index.php,” fail to properly validate a path to a script file. A PoC of this exploit would be released by the researchers once most of the vulnerable Linux servers have been updated.

Both these vulnerabilities affect CWP Versions till and has been fixed in version

Vulnerability Details


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox