CVE-2022-44877 is a critical unauthenticated command injection vulnerability in Control Web Panel (CWP), formerly CentOS Web Panel, affecting versions before 0.9.8.1147. The flaw is present in login/index.php, where the login parameter is insufficiently sanitized and shell metacharacters are interpreted by the underlying operating system shell. By supplying crafted input to this parameter, a remote attacker can inject and execute arbitrary OS commands without authentication. The vulnerability is trivial to exploit remotely and has been publicly demonstrated with proof-of-concept code. Observed exploitation has included spawning interactive terminals and launching reverse-shell style command execution on unpatched systems.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
This repository contains a Bash script (script.sh) and a README.md. The script targets CVE-2022-44877, a command injection vulnerability in Control Web Panel (CWP) prior to version 0.9.8.1147. The script provides three main functions: 'scan' (test a single URL for vulnerability using a time-based payload), 'exploit' (execute an arbitrary bash command on a vulnerable target), and 'masscan' (scan multiple URLs from a file for vulnerability). The exploit works by sending a specially crafted HTTP POST request to the /login/index.php endpoint of the target, injecting a base64-encoded command that is decoded and executed by the server if vulnerable. The script is operational, allowing for both detection and exploitation, and is intended for use against Linux-based CWP installations. The only code file is script.sh, which is the entry point for all functionality.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific CVE included in TuxBot's exploit VM package, but the VM is broken so the exploit package never executes in the analyzed version.
A specific vulnerability (CVE-2022-44877) that CRYSTALRAY/SSH-Snake operators scan for and exploit using public proof-of-concept code, then modify to deliver their own payloads (e.g., Platypus or Sliver implants) for access and persistence.
A trivial unauthenticated remote command injection vulnerability in CentOS Web Panel (CWP) that allows attackers to execute arbitrary commands on the target system without authentication.
A trivial unauthenticated remote command injection vulnerability in CentOS Web Panel (CWP) that allows attackers to execute arbitrary commands on the target system without authentication.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.