Funny, this started as an information sharing thread but then devolved from there -- getting into sour personal attacks. I'm sorry I ever touched this tar baby. My point was, I can appreciate your report and will keep it on the radar because I see that you have a history here and contribute in a meaningful way. But when someone brand new comes on the scene trotting out security buzzwords and offering dubious advice about deleting the filemanager (instead of mitigating the attack vector in a non-destructive way)... well, take that for what it is. I'll go back to monitoring my servers now.
(Both security disclosures you linked to claim the CWP devs have patched the flaw, and both indicated it was against CentOS 7 -- so it bears monitoring but not hyperventilating.)
Thats not accurate. The problem isnt limited to CentOS 7 it also affects AlmaLinux 8. The vulnerability lies in filemanager.php, which is written in PHP and is identical across all supported OSes. What changes between CentOS and AlmaLinux is the system environment, not the CWP PHP panel code.
All six of my servers run AlmaLinux 8, and three were compromised due to this exact issue.
I dont know Doridian personally, but his suggested solution is a good temporary mitigation. Renaming or removing filemanager.php is low-risk, and CWP will restore it once an official patch is released. Ive renamed it on all my servers, its a simple step to reduce exposure.
This is a critical vulnerability, and it is not fixed in the current version, despite what the articles say.
You can check if your server might have been affected by running:
find /home -type f -name "defauit.php" 2>/dev/null
That file (defauit.php with an i) appeared across all compromised accounts on my affected servers.