The US government’s cybersecurity agency CISA is giving federal agencies an early February deadline to patch a critical -- and already exploited -- security vulnerability in the widely used CentOS Control Web Panel utility.

The agency added the CVE-2022-44877 flaw to its KEV (Known Exploited Vulnerabilities) catalog and set a February 7th deadline for federal agencies to test and deploy an available fix.

Security researchers warned earlier this month that the publication of proof-of-concept code and a YouTube video demonstration would lead to live attacks.  Soon after, threat-hunting outfits GreyNoise and Shadowserver spotted signs of exploitation in the wild. 

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA warned in a note posted alongside the catalog update.

The CWP Control Web Panel utility, previously known as CentOS Web Panel, is a popular, free web hosting panel for enterprise-based Linux systems, offering support for the management and security of both servers and clients.

The bug is described as an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter.

The vulnerability has a CVSS severity score of 9.8/10 and is considered trivial to exploit.

Patches for the CVE-2022-44877 were included in CWP7 version 0.9.8.1147. CWP users are advised to update to this or a newer version of the management panel as soon as possible.

By Ryan Naraine on Wed, 18 Jan 2023 15:45:02 +0000
Original link