Back to KEVs

CVE-2022-44877

login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via...

Basic Information

CVE State: PUBLISHED
Reserved Date: November 07, 2022
Published Date: January 05, 2023
Last Updated: January 29, 2025
Vendor: n/a
Product: n/a
Description: login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2023-01-17 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2023-02-11 20:45:08 UTC) Source

References

https://www.youtube.com/watch?v=kiLfSvc1SYY https://gist.github.com/numanturle/c1e82c47f4cba24cff214e904c227386 http://seclists.org/fulldisclosure/2023/Jan/1 http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.html http://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.html http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source	Added Date
CISA	2023-01-17 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/control_web_panel_login_cmd_exec.rb	2025-04-29 11:01:12 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-44877.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

control_web_panel_login_cmd_exec

Type: metasploit • Created: Unknown

Metasploit module for CVE-2022-44877

hotpotcookie/CVE-2022-44877-white-box

Type: github • Created: 2023-02-15 15:22:48 UTC • Stars: 6

Red Team utilities for setting up CWP CentOS 7 payload & reverse shell (Red Team 9 - CW2023)

Chocapikk/CVE-2022-44877

Type: github • Created: 2023-02-11 20:45:08 UTC • Stars: 2

Bash Script for Checking Command Injection Vulnerability on CentOS Web Panel [CWP] (CVE-2022-44877)

komomon/CVE-2022-44877-RCE

Type: github • Created: 2023-01-06 16:53:51 UTC • Stars: 9

CVE-2022-44877 Centos Web Panel 7 Unauthenticated Remote Code Execution

numanturle/CVE-2022-44877

Type: github • Created: 2023-01-05 17:29:10 UTC • Stars: 103