CISA, the United States government’s cybersecurity agency, has given federal agencies until early February to patch a critical and already exploited security flaw in the widely used CentOS Control Web Panel utility.
The organization added the CVE-2022-44877 vulnerability to its KEV (Known Exploited Vulnerabilities) catalog and gave federal agencies until February 7 to test and implement a fix. Security experts cautioned earlier this month that live attacks would result from the release of proof-of-concept code and a YouTube video demonstration.
The threat-hunting organizations GreyNoise and Shadowserver soon discovered evidence of exploitation in the wild. Shell metacharacters in the login parameter can be used by remote attackers to execute commands due to the bug’s OS command injection vulnerability.