CVE-2025-48703 is a critical unauthenticated remote-code-execution (OS command injection) vulnerability in Control Web Panel (CWP / CentOS Web Panel) that allows attackers to inject shell metacharacters via the t_total parameter of a filemanager changePerm request.
It affects CWP versions prior to 0.9.8.1205 and is being actively exploited in the wild. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog.
Immediate actions: identify internet-exposed CWP instances, apply vendor patch (≥ 0.9.8.1205), block/limit access to panel ports.
Technical details
- Vulnerability: OS command injection via shell metacharacters in the t_total parameter used by the CWP file manager changePerm endpoint. CWE-78 classification.
- Affected versions: CWP (Control Web Panel / CentOS Web Panel) versions < 0.9.8.1205. Vendor released 0.9.8.1205 as the security patch.
- Attack vector: HTTP POST to filemanager changePerm endpoint (panel UI endpoints typically on admin/user panel ports such as 2082/2083/2086/2087/2031/2030 depending on install). An attacker injects shell metacharacters into t_total to execute arbitrary commands as the web panel process.
- Precondition: attacker must know a valid non-root username (often trivial to enumerate or infer for hosting systems).
Evidence of exploitation
CISA added CVE-2025-48703 to the Known Exploited Vulnerabilities catalog (Nov 4, 2025), indicating observed exploitation.
Additionally, multiple security vendors and blogs reported active exploitation and public PoCs, Metasploit activity, and scanning against internet-facing CWP instances.
Risk & Impact assessment
The risk of exploitation is high, given the unauthenticated nature of the vulnerability, the availability of public proof-of-concept exploits, and the active scanning and exploitation activity observed in the wild against exposed Control Web Panel instances.
Impact if exploited: Full server compromise (webpanel process privileges → potential privilege escalation, deployment of webshells, coinminer/backdoor deployment, lateral movement to hosted sites/databases). High to critical for hosting providers and multi-tenant systems.
Preventive Measures
- Patch now:
Upgrade CWP to 0.9.8.1205 or later on all instances. This is the primary fix.
Isolate & restrict:
Restrict access to CWP admin ports to trusted IPs (firewall / security groups). Block internet-exposed panel access where possible. - Rotate credentials & keys:
If panels were internet-accessible, rotate admin and service credentials, inspect SSH authorized_keys and rotate SSH keys where necessary. - Monitor:
Add IDS/HTTP WAF rules to detect filemanager/changePerm POSTs and suspicious t_total strings. Increase logging retention for web-panel and webserver logs.
Stay Safe. Stay Secure.
OP Innovate Research Team
