A critical vulnerability has been identified in CWP (Control Web Panel) that allows an unauthenticated attacker to execute arbitrary code remotely. By sending a specially crafted request to the file manager component, an attacker can gain complete control over the affected server. This could lead to a full system compromise, data theft, and significant service disruption.

This vulnerability is a command injection flaw that exists in the filemanager component. The changePerm request improperly sanitizes user-supplied input in the t_total parameter. An unauthenticated remote attacker can inject shell metacharacters (e.g., |, &, ;) into this parameter, which are then executed by the underlying operating system with the privileges of the web server process, resulting in remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.0. Successful exploitation allows an unauthenticated attacker to gain full control of the web server. The potential business impact includes theft of sensitive data hosted on the server, deployment of ransomware or cryptocurrency miners, disruption of web services, and reputational damage. The compromised server could also be used as a pivot point to launch further attacks against the internal network, posing a significant risk to the entire organization.

Immediate Action:

• Immediately update all CWP installations to version 0.9.8.1205 or later as recommended by the vendor.
• Prioritize patching for internet-facing systems.

Proactive Monitoring:

• Review web server access logs for requests to the filemanager endpoint, specifically looking for malicious payloads or shell metacharacters within the t_total parameter of a changePerm request.
• Monitor for unexpected outbound network connections or suspicious processes originating from the CWP server.
• Implement file integrity monitoring to detect unauthorized changes to system files.

Compensating Controls:

• If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules to block requests containing shell metacharacters targeting the vulnerable parameter.
• Restrict access to the CWP admin portal to trusted IP addresses only at the network firewall level.
• If the file manager functionality is not essential, consider disabling it or blocking access to its specific endpoints.

Public Exploit Available: false

Given the critical severity (CVSS 9.0) and the potential for unauthenticated remote code execution, immediate patching is strongly recommended for all systems running affected versions of CWP. An attacker requires no credentials or user interaction to gain complete control of a vulnerable server. Organizations must prioritize the deployment of CWP version 0.9.8.1205 or later to mitigate this significant risk before a public exploit becomes available.