Login Sign Up

CVE-2021-31324

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-31324 is a command injection vulnerability in CentOS Web Panel's unprivileged user portal that allows attackers to execute arbitrary commands with root privileges. This affects all CentOS Web Panel installations with the vulnerable component enabled. Attackers can achieve complete system compromise through remote code execution.

💻 Affected Systems

Products:
  • CentOS Web Panel
Versions: All versions prior to 0.9.8.1147
Operating Systems: CentOS, RHEL-based Linux distributions
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the default installation of CentOS Web Panel with the user portal enabled.

📦 What is this software?

Webpanel by Control Webpanel

View all CVEs affecting Webpanel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with root access, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web server compromise, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - The vulnerability affects web-accessible interfaces and requires no authentication.
🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available and exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.8.1147 and later

Vendor Advisory: https://centos-webpanel.com/changelog-cwp7

Restart Required: Yes

Instructions:

1. Backup your system and configuration. 2. Update CentOS Web Panel using the built-in updater or command line. 3. Restart the web panel services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable User Portal

linux

Temporarily disable the vulnerable user portal component

systemctl stop cwp-httpd
systemctl disable cwp-httpd

Network Access Control

linux

Restrict access to CentOS Web Panel interface using firewall rules

iptables -A INPUT -p tcp --dport 2030 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 2030 -j DROP

🧯 If You Can't Patch

  • Isolate the affected system from the internet and critical internal networks
  • Implement strict network segmentation and monitor all traffic to/from the vulnerable system

🔍 How to Verify

Check if Vulnerable:

Check CentOS Web Panel version: cat /usr/local/cwpsrv/var/services/status.json | grep version

Check Version:

cat /usr/local/cwpsrv/var/services/status.json | grep version

Verify Fix Applied:

Verify version is 0.9.8.1147 or higher and test that command injection attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in web panel logs
  • Suspicious POST requests to user portal endpoints
  • Unexpected system commands in /var/log/messages

Network Indicators:

  • Unusual outbound connections from web panel server
  • Traffic to known malicious IPs from web panel interface

SIEM Query:

source="cwp_logs" AND ("cmd=" OR "exec=" OR "system(") AND status=200

📊 Metadata

CVE ID: CVE-2021-31324
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: May 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31324, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)