A remote code execution (RCE) pre-authentication vulnerability has been discovered for the widely used web hosting platform Control Web Panel (CWP). On October 25, version 0.9.8.1147 of CWP 7 was released after the associated vulnerability had been patched. This version affects all earlier versions.
A free Linux control panel called CWP, formerly known as CentOS Web Panel, is currently being used on about 200,000 servers. Numan Türle, a security engineer with the Turkish information security firm Gais Security, published the Proof of Concept (PoC) on GitHub and YouTube Wednesday, January 5.