Linux Servers at Risk of RCE Due to Critical CWP Bugs

Do you know that the type of Linux control panel you use can put your server at risk? For instance, your server can be at risk of Remote Code Execution (RCE) resulting from two critical bugs in the Control Web Panel (CWP). Platforms like ispmanager offer a Linux web hosting control panel that helps address multiple challenges in safeguarding servers.

In this article, you will discover how two CWP bugs can put your server at risk of RCE and how web hosting providers and system administrators can prevent their servers from this vulnerability.

Control Web Panel (CWP)

CWP was formerly known as CentOS Web Panel, and it supports a few operating systems, which include CentOS, AlmaLinux, Rocky Linux, and Oracle Linux. CWP is a community-driven web hosting panel that provides web hosting providers flexible options to efficiently and effectively manage their servers and businesses.

CWP is free, quick and comes with a user-friendly interface, thus, making it the choice for a wide range of people. Furthermore, CWP is excellent for domain management because it has an advanced DNS manager, making it easier for system administrators to manage domains and DNS records. Hence, the need for a secondary DNS management solution is eliminated.

Remote Code Execution (RCE)

If you have heard of or experienced the execution of commands on your server or system from an external source, you suffer from a cyber attack called RCE. You may ask: how does RCE occur? RCE occurs when web hosting providers or system administrators download malware, allowing the threat actor access to your server or system irrespective of geographic location.

When a threat actor assesses a server or system, he targets a complete takeover by executing his remote codes across the local area network (LAN), wide area network (WAN) or the internet. Apart from a complete takeover, an RCE threat actor can aim to install ransomware, divert funds, disrupt service, secretly extract data, and perform detailed surveillance.

WannaCry is a typical example of an RCE attack. Threat actors succeeded in using WannaCry to infect thousands of servers and systems in 2017, including the client machines connected to infected servers. However, web hosting providers or companies are better aware of RCEs today and have been doubling their efforts to prevent RCE attacks.

RCE attacks and CWP bugs

Two critical bugs on Control Web Panel (CWP) can allow an external threat to use RCE as root on vulnerable Linux servers of web hosting providers. These two bugs or flaws in CWP are CVE-2021-45467 and CVE-2021-45466. The former is a file inclusion vulnerability, while the second is a file write bug. The problem arises when these two bugs or vulnerabilities are chained together because it results in RCE on specific Linux-based servers.

An RCE happens because some parts of the CWP are exposed without authentication in the webroot. Therefore, threat actors target and exploit the two CWP vulnerabilities or bugs to do whatever they want. Examples of what they can do include crashing a server or system and running software in administrator mode.

Furthermore, cyber attackers or threat actors focus on two pages (“/user/loader.php” and “/user/index.php”) to inject their remote codes into servers. Therefore, a threat actor can easily change the “Include Statement” once he has assessed the two pages. Suppose you ask why the “Include Statement” is essential. It is vital because threat actors use it to insert the content of a PHP file into another PHP file before the server executes it.

You must note that the CWP does not lack protections against the malicious acts of threat actors to alter the “Include Statement” and execute their malicious codes. However, they find a way to get around such protections. For instance, the software flags a parameter script with two dots (“..”) as a hacking attempt and does not proceed to process the input. However, threat actors can still break through the protection because the PHP interpreter is fooled into thinking that there are no double dots (..) despite the protection.

How to prevent RCE attacks

Preventing RCE attacks can be challenging because cyber attackers do a lot of work keeping up-to-date lists of recently known bugs and going the extra mile to exploit such vulnerabilities. The slackness of web hosting providers or companies in patching their software and applications makes it easier for threat actors to penetrate servers and systems.

In addition, attackers are likely to reverse the patches to old bugs or vulnerabilities. Nevertheless, web hosts and system administrators must take swift actions to patch and update all software and applications on their Linux servers and systems to the latest versions. Furthermore, you may have to reduce your trust in user inputs to sanitize them appropriately.

Sanitizing user inputs involves filtering and validating data inputs from users, web services, and APIs. To sanitize user inputs, you can either whitelist, blacklist or escape. For instance, whitelisting (allow lists) allows your server or system only to accept valid characters and code strings. Conversely, blacklisting (disallow lists) eliminates dangerous characters such as tabs, line breaks, white spaces, and tags. Lastly, escape sanitizing helps you to eliminate invalid data requests and inputs such that they are not interpreted as codes.


The possibility of threat actors attacking a server by exploiting the two critical CWP bugs to gain full root privileges is high. This then begs the question: how do web hosting providers and system administrators minimize or prevent RCE attacks? A practical way to address this challenge is to patch and update all software on your Linux server and systems to the latest versions. However, it has also been proved that threat actors have been finding ways to reverse patches to exploit some servers.

What about switching to a Linux-based control panel with no risk or vulnerability for RCE attacks? The best decision you can make now is to change to an affordable and reliable commercial control panel like ispmanager Linux control panel.