CVE-2022-44877

CVE Database · CVE-2022-44877

CVE-2022-44877

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.99%

Published

Jan 5, 2023

Modified

Nov 3, 2025

CISA Known Exploited Vulnerability

Added: 2023-01-17 · Due: 2023-02-07

Apply updates per vendor instructions.

Public PoC / Exploit (12)

All weaponized →

Exploit-DBCentos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)NucleiNuclei detection template Exploit-DBControl Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)TrickestTrickest PoC index GitHub PoCnumanturle/CVE-2022-44877★103 GitHub PoCkomomon/CVE-2022-44877-RCE★9 GitHub PoChotpotcookie/CVE-2022-44877-white-box★6 GitHub PoCChocapikk/CVE-2022-44877★3 GitHub PoCColdFusionX/CVE-2022-44877-CWP7★1 GitHub PoCdkstar11q/CVE-2022-44877★0 GitHub PoCrhymsc/CVE-2022-44877-RCE★0 GitHub PoCG01d3nW01f/CVE-2022-44877★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78CWE-78

Affected Products (1)

control-webpanel · webpanel (up to 0.9.8.1147)vulnerable

References (13)

http://packetstormsecurity.com/files/170388/Control-Web-Panel-7-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/170820/Control-Web-Panel-Unauthenticated-Remote-Command-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/171725/Control-Web-Panel-7-CWP7-0.9.8.1147-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2023/Jan/1

ExploitMailing ListThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs