Exploit drops for remote code execution bug in Control Web Panel


A remote code execution (RCE) pre-authentication vulnerability has been discovered for the widely used web hosting platform Control Web Panel (CWP). On October 25, version of CWP 7 was released after the associated vulnerability had been patched. This version affects all earlier versions.

A free Linux control panel called CWP, formerly known as CentOS Web Panel, is currently being used on about 200,000 servers. Numan Türle, a security engineer with the Turkish information security firm Gais Security, published the Proof of Concept (PoC) on GitHub and YouTube Wednesday, January 5.

Read More…