Control Web Panel OS Command Injection Exploitation Increases After POC Release

Threat Level – Red | Vulnerability Report
Download PDF

On January 3, 2023, a security researcher published a proof-of-concept exploit for a vulnerability in Control Web Panel (CWP) that allows unauthenticated remote code execution. By January 6, the vulnerability was being actively exploited in the wild. The vulnerability is caused by the ability for attackers to execute bash commands when incorrect entries are logged to the system using double quotes. This allows them to remotely execute any operating system command via shell metacharacters in the login parameter (login/index.php).

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox