Critical CVE-2022-44877 with a severity rating of 9.8 out of 10, recently fixed in the Control Web Panel (formerly known as CentOS Web Panel), allowing an attacker to remotely execute code without authentication, is actively exploited in the wild.

The Web Control Panel, formerly known as the CentOS Web Panel, is a popular server administration tool for enterprise Linux systems.

The bug affects all software versions up to 0.9.8.1147 and was fixed by its maintainers on October 25, 2022 and allows remote attackers to execute arbitrary OS commands using shell metacharacters in the login parameter.

Having reported the problem in October last year, researcher Numan Turle from Gais Cyber Security published an experimental exploit (PoC) and a demo video on January 3, and three days later, researchers from the Shadowserver Foundation and GreyNoise noticed that hackers had begun to exploit the vulnerability.

Shadowserver stated that "exploitation is trivial."

According to them, attackers find vulnerable hosts and use CVE-2022-44877 to create a terminal for interacting with the machine. Other attacks were aimed at identifying vulnerable machines.

GreyNoise stated that they found four unique IP addresses trying to use CVE-2022-44877, two of which are in the United States and one each in the Netherlands and Thailand.

At the same time, all attempts at exploitation are based on the original publicly available PoC, which has been slightly modified to solve the attacker's tasks.

Due to the active exploitation in the wild, users and administrators are advised to take immediate action and update the CWP to the latest available version, currently 0.9.8.1148, released on December 1, 2022.