CVE-2022-44877: CWP login.php Unauthenticated RCE

Exploitation Summary

CVE-2022-44877 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 17, 2023. EIP tracks 13 public exploits from researchers including Mayank Deshmukh, numan türle, numanturle, including a Metasploit module exploits/linux/http/control_web_panel_login_cmd_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in Control Web Panel 7 (CWP7) by injecting a cURL command into the login URL parameter, triggering an out-of-band callback to a listener. It bypasses authentication by exploiting improper input validation in the login endpoint.

Description

login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Exploits (13)

exploitdb WORKING POC

by Mayank Deshmukh · gowebappsphp

https://www.exploit-db.com/exploits/51250

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in Control Web Panel 7 (CWP7) by injecting a cURL command into the login URL parameter, triggering an out-of-band callback to a listener. It bypasses authentication by exploiting improper input validation in the login endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Control Web Panel 7 (CWP7) < 0.9.8.1147

No auth needed

Prerequisites: Network access to the target CWP7 login page · A listener set up to receive the out-of-band callback

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by numan türle · textwebappslinux

https://www.exploit-db.com/exploits/51194

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated remote code execution (RCE) vulnerability in CentOS Web Panel 7 versions prior to 0.9.8.1147. The vulnerability arises from improper handling of double quotes in the login parameter, allowing arbitrary command injection via a crafted POST request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: CentOS Web Panel 7 < 0.9.8.1147

No auth needed

Prerequisites: Network access to the target system · CentOS Web Panel 7 version < 0.9.8.1147

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 104 stars

by numanturle · remote

https://github.com/numanturle/CVE-2022-44877

View Code ZIP pw:eip

This repository contains a working proof-of-concept for CVE-2022-44877, an unauthenticated remote code execution vulnerability in CentOS Web Panel 7 versions prior to 0.9.8.1147. The exploit leverages command injection via the 'login' parameter in the login endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: CentOS Web Panel 7 < 0.9.8.1147

No auth needed

Prerequisites: Network access to the target system · CentOS Web Panel 7 running on port 2031

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 9 stars

by komomon · remote

https://github.com/komomon/CVE-2022-44877-RCE

View Code ZIP pw:eip

This repository contains a working proof-of-concept exploit for CVE-2022-44877, an unauthenticated remote code execution vulnerability in CentOS Web Panel 7. The exploit leverages command injection via the login parameter in /login/index.php to execute arbitrary system commands.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: CentOS Web Panel 7 < 0.9.8.1147

No auth needed

Prerequisites: Network access to the target system · CentOS Web Panel 7 running on port 2031

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 6 stars

by hotpotcookie · poc

https://github.com/hotpotcookie/CVE-2022-44877-white-box

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-44877, targeting CentOS Web Panel (CWP) to achieve remote code execution (RCE) via command injection. The PoC includes a reverse shell setup, payload generation, and credential extraction via REST API and John the Ripper.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CentOS Web Panel (CWP) 9.8.1146

No auth needed

Prerequisites: Network access to the target CWP instance · Socat for reverse shell handling · John the Ripper for credential cracking

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1040 - Network Sniffing T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Chocapikk · remote

https://github.com/Chocapikk/CVE-2022-44877

View Code ZIP pw:eip

This repository contains a bash script that tests for CVE-2022-44877, a command injection vulnerability in web servers. The script uses a time-based approach to detect vulnerability by measuring the response time of a crafted request.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a web server with a specific PHP-based login endpoint)

No auth needed

Prerequisites: curl · bc · base64 · target URL with vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB 1 stars

by ColdFusionX · poc

https://github.com/ColdFusionX/CVE-2022-44877-CWP7

View Code ZIP pw:eip

This repository is a placeholder for CVE-2022-44877, an unauthenticated RCE in Control Web Panel 7 (CWP7). It currently contains no exploit code, only a README indicating a PoC will be added later.

Classification

Stub 90%

Attack Type

Rce

Complexity

Theoretical

Reliability

Theoretical

Target: Control Web Panel 7 (CWP7)

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by G01d3nW01f · remote

https://github.com/G01d3nW01f/CVE-2022-44877

View Code ZIP pw:eip

This Go-based exploit targets CVE-2022-44877 in CentOS Web Panel, leveraging command injection via URL-encoded payloads to achieve remote code execution. It supports multiple C2 types (SSL reverse shell, simple reverse shell, bind shell) and uses base64 encoding for payload obfuscation.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CentOS Web Panel (version not specified)

No auth needed

Prerequisites: Network access to target · Go environment for compilation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec NO CODE

by rhymsc · remote

https://github.com/rhymsc/CVE-2022-44877-RCE

View Code ZIP pw:eip

nomisec NO CODE

by RicYaben · poc

https://github.com/RicYaben/CVE-2022-44877-LAB

View Code ZIP pw:eip

nomisec WORKING POC

by dkstar11q · remote

https://github.com/dkstar11q/CVE-2022-44877

View Code ZIP pw:eip

This repository contains a bash script that tests for CVE-2022-44877, a command injection vulnerability in web servers. The script uses a time-based approach to detect vulnerability by measuring the response time of a crafted request.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (likely a web server or application with a vulnerable login endpoint)

No auth needed

Prerequisites: curl · bc · base64

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/hotpotcookie/cwp-rce-white-box

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2022-44877, targeting CentOS Web Panel (CWP) with a reverse shell payload. The exploit leverages command injection via crafted POST requests to achieve remote code execution (RCE) and includes utilities for setting up listeners, generating payloads, and extracting credentials.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: CentOS Web Panel (CWP) 9.8.1146

No auth needed

Prerequisites: Access to target CWP login page · Network connectivity for reverse shell callback

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Spencer McIntyre, Numan Türle · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/control_web_panel_login_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in Control Web Panel (CWP) versions < 0.9.8.1147. It leverages a flaw in the login.php file to execute arbitrary commands as the root user via a crafted POST request.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Control Web Panel (CWP) < 0.9.8.1147

No auth needed

Prerequisites: Network access to the target CWP instance on port 2031

MITRE ATT&CK