CentOS Web Panel - Authorization Bypass (CVE-2021-45467)

CVE-2021-45467 is a critical vulnerability in CWP (Control Web Panel) before version 0.9.8.1107 that allows unauthenticated attackers to exploit null byte injection in /user/loader.php, enabling them to register arbitrary API keys. This flaw can be leveraged for remote code execution, unauthorized access, or further compromise of the affected server.

CrowdSec has been tracking this vulnerability and its exploits since 26th of November 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2021-45467 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2021-45467. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit the /user/index.php and /user/login.php endpoints by injecting null bytes (%00) and directory traversal sequences into the scripts parameter to access sensitive files or execute arbitrary actions. These requests often contain multiple .%00%00%00./ patterns targeting files like /etc/passwd.