What is CWP Control Web Panel?
CWP (Control Web Panel, formerly CentOS Web Panel) is a free, widely used Linux web hosting control panel that allows server administrators to manage web hosting accounts, domains, email, databases, and server configurations through a web interface. It is commonly deployed by web hosting providers and individual Linux server operators as an alternative to commercial control panels like cPanel. CWP's web management interface is typically internet-accessible, exposing it to the full threat landscape. Thousands of servers run CWP globally, making vulnerabilities in it attractive targets for mass exploitation campaigns that seek to compromise web hosting infrastructure.
Overview
CVE-2022-44877 is a critical OS command injection vulnerability (CWE-78, CVSS 9.8) in CWP Control Web Panel. An unauthenticated remote attacker can inject and execute arbitrary OS commands by including shell metacharacters in the login parameter of the panel's login form. The injected commands execute on the underlying Linux server with the privileges of the web server process (typically root or a high-privilege user in CWP's architecture). CWP patched the issue in October 2022, but the vulnerability was not broadly publicized until January 2023 when a proof-of-concept exploit was published, triggering mass exploitation within days. CISA added this to KEV on January 17, 2023.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| CWP Control Web Panel | v0.9.8.1147 and earlier | v0.9.8.1149 |
Technical Details
The vulnerability (CWE-78: OS Command Injection) exists in CWP's login endpoint. The login functionality processes user-supplied credentials through server-side code that constructs or passes values to system-level functions without adequately sanitizing shell-special characters.
An unauthenticated attacker can submit a POST request to the CWP login endpoint with a crafted login parameter containing shell metacharacters (pipe, semicolon, backtick, $() substitution, or similar). The server-side code passes this input to a shell command without escaping, causing the injected portion to be executed as a system command. Because no authentication is required to reach the login endpoint, the attack is fully pre-authentication and requires a single HTTP request.
CWP typically runs its web interface with elevated Linux privileges to manage system configuration — meaning the injected commands often execute with root or near-root privileges on the server.
Discovery
The patch was silently released by CWP in October 2022 as part of version 0.9.8.1149, without a public security advisory. In early January 2023, security researchers reverse-engineered the patch and identified the vulnerability, publishing a proof-of-concept. The publication immediately triggered mass exploitation as threat actors scanned for and attacked unpatched CWP installations globally.
Exploitation Context
Following the publication of the proof-of-concept in January 2023, security researchers observed widespread automated exploitation targeting internet-accessible CWP panels. The typical exploitation pattern involved:
- Automated mass scanning using tools like Shodan or Censys to identify CWP installations
- Credential harvesting: extracting database credentials, cPanel accounts, and hosted website configurations
- Webshell installation for persistent access
- Cryptomining malware deployment (a common outcome of compromised hosting infrastructure)
- Use as a platform for further attacks against hosted websites and their customers
Web hosting control panel vulnerabilities are particularly impactful because a single server compromise often yields access to dozens or hundreds of hosted domains, databases, and email accounts belonging to the server's customers.
Remediation
- Upgrade to CWP v0.9.8.1149 or later: Apply the update through CWP's built-in update mechanism or by downloading from the CWP website.
- Restrict management interface access: CWP's management interface (typically on ports 2030, 2031, 2082, 2083, 2086) should be firewalled to only allow connections from administrator IP addresses. Never expose CWP directly to the internet without IP restrictions.
- Audit for compromise: If CWP was internet-accessible before patching, review system logs for unexpected commands, new user accounts, cron jobs, or files in web-accessible directories.
- Review hosted accounts: Check hosted websites for injected malware or unauthorized file modifications — attackers who compromise the hosting panel often target hosted websites and databases.
- Rotate all credentials: Treat all passwords stored in CWP (database passwords, email accounts, FTP credentials) as potentially compromised.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2022-44877 |
| Vendor / Product | CWP — Control Web Panel |
| NVD Published | 2023-01-05 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2023-01-17 |
| CISA KEV Deadline | 2023-02-07 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2022-10-25 | CWP released version 0.9.8.1149 patching the command injection |
| 2023-01-03 | Security researchers published proof-of-concept exploit; mass exploitation began |
| 2023-01-05 | CVE published |
| 2023-01-17 | CISA added to KEV |
| 2023-02-07 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2022-44877 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| CWP Changelog — v0.9.8.1149 Security Fix | Vendor Advisory |