Control Web Panel (CWP) Remote Code Execution (CVE-2022-44877)
Overview
Control Web Panel (CWP) Remote Code Execution, tracked as CVE-2022-44877, affects CWP 7 installations before version 0.9.8.1147. CWP is a server management interface, so compromise of the panel can directly affect hosted services, system configuration, and administrative workflows.
Vulnerability Overview
CVE-2022-44877 is an OS command injection vulnerability in login/index.php in CWP 7. The vulnerable component allowed remote attackers to influence command execution through shell metacharacters in the login parameter.
The issue is notable because it is reachable before authentication. When the affected login path is exposed, an attacker does not need valid panel credentials to reach the vulnerable code path.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow unauthenticated remote attackers to execute arbitrary operating system commands on the server.
Because CWP is used for server administration, impact can extend beyond a single web application. CVE-2022-44877 is listed in the CISA Known Exploited Vulnerabilities catalog, so exposed vulnerable panels should be treated as high-priority remediation targets.
Vulnerability Scope
The affected product is Control Web Panel 7 before 0.9.8.1147. Systems running fixed versions or systems where the administrative panel is not reachable by untrusted users are outside the intended vulnerable condition.
The highest-risk deployments are internet-facing CWP panels where the login interface is publicly reachable and the installation has not been updated.
Lab Focus
This Hackviser lab focuses on recognizing how unsafe handling of login parameters can lead to command injection in an administrative interface. You will practice identifying the vulnerable CWP version range, understanding the unauthenticated attack surface, and connecting command injection impact to server management security.