Linux Servers at Risk of RCE Due to Critical CWP Bugs
Researchers have discovered two critical bugs in Control Web Panel (CWP) – a popular web hosting management software used by 200K+ servers – that could allow for remote code execution (RCE) as root on vulnerable Linux servers.
CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments. The software supports the operating systems CentOS, Rocky Linux, Alma Linux and Oracle Linux.
The two vulnerabilities – found by Octagon Networks’ Paulos Yibelo – are tracked as CVE-2021-45467 (a file inclusion vulnerability) and CVE-2021-45466 (a file write bug). When chained, the two vulnerabilities can lead to RCE. The problems are found in parts of the CWP panel that are exposed without authentication in the webroot, according to Octagon’s writeup.