What vulnerability is CISA warning about in Control Web Panel?

CISA is warning of active exploitation of a critical remote command execution vulnerability in Control Web Panel (CWP), formerly known as CentOS Web Panel. The flaw is tracked as CVE-2025-48703 with a CVSS score of 9.0. It allows unauthenticated remote attackers with knowledge of a valid non-root username to execute arbitrary shell commands on vulnerable systems, potentially leading to complete server compromise.

What is CVE-2025-48703?

CVE-2025-48703 is a critical remote command execution vulnerability with a CVSS score of 9.0 affecting Control Web Panel. It allows unauthenticated remote attackers who know a valid non-root username to execute arbitrary shell commands on vulnerable systems, potentially leading to complete server compromise. CISA has confirmed that this vulnerability is being actively exploited.

Which versions of Control Web Panel are vulnerable?

All versions of Control Web Panel prior to 0.9.8.1205 are vulnerable to CVE-2025-48703, the critical command injection flaw. Control Web Panel version 0.9.8.1205, released on June 18, 2025, contains the security fix for this vulnerability.

How many Control Web Panel instances are at risk?

According to Shodan, over 220,000 CWP instances are currently internet-facing, though the exact number still running vulnerable versions remains unclear. Given that the vulnerability affects all versions prior to 0.9.8.1205, a significant portion of these systems may be at risk.

Has Control Web Panel patched CVE-2025-48703?

Yes, Control Web Panel version 0.9.8.1205, released on June 18, 2025, contains the security fix for CVE-2025-48703. Organizations running Control Web Panel should update to this version or later immediately to protect against active exploitation.

What are the indicators of compromise for CVE-2025-48703?

Indicators of compromise include unexpected network connections to external IP addresses, suspicious chmod command executions in logs that include shell metacharacters, new or modified shell configuration files such as .bashrc or .bash_profile, unauthorized additions to SSH authorized_keys files, suspicious cron jobs or scheduled tasks, new user accounts not created through normal processes, connections to unfamiliar external IPs, unusual processes running with web server privileges, and web shell files or backdoor scripts in web-accessible directories.

Who discovered the Control Web Panel vulnerability?

Security researcher Maxime Rinaudo discovered the CVE-2025-48703 vulnerability in Control Web Panel's changePerm endpoint. The researcher identified that the endpoint processes requests even when the per-user identifier parameter is omitted and that the t_total parameter is passed directly into shell commands without proper sanitization.

Is CVE-2025-48703 being actively exploited?

Yes, CISA is warning of active exploitation of CVE-2025-48703. This means attackers are currently using this vulnerability to compromise Control Web Panel installations in the wild, making it critical for organizations to patch immediately or implement mitigations.

What is the severity level of CVE-2025-48703?

CVE-2025-48703 has a CVSS score of 9.0, which is classified as critical severity. This high rating reflects the ease of exploitation for unauthenticated attackers, the significant potential impact including complete server compromise, active exploitation in the wild, and the large number of potentially vulnerable internet-facing installations.

What ports does Control Web Panel use?

Control Web Panel typically uses port 2083 for the user panel and port 2087 for the admin panel. Organizations implementing network access restrictions as a mitigation measure should focus on restricting access to these ports to trusted IP addresses or VPN networks only.

What Linux distributions does Control Web Panel support?

Control Web Panel provides server administration capabilities for managing web servers running CentOS, Rocky Linux, and AlmaLinux distributions. Originally developed as CentOS Web Panel, it has expanded support to include these related Linux distributions commonly used for web hosting.

Advisory

CISA reports active exploitation of critical vulnerability in CentOS Web Panel

Q: How does the Control Web Panel vulnerability work?

The vulnerability is in the changePerm endpoint in CWP's file manager module. The endpoint processes requests even when the per-user identifier parameter is omitted, allowing unauthenticated requests. The t_total parameter, which functions as a file permission mode value in the chmod system command, is passed directly into a shell command without adequate sanitization or input validation. This creates an OS command injection vulnerability where attackers can inject shell metacharacters and arbitrary commands that the server will execute with the privileges of the targeted user account.

Q: What should I do if I cannot immediately patch Control Web Panel?

Organizations that cannot immediately patch should restrict network access to CWP's management interface (typically port 2083 for user panel and port 2087 for admin panel) only from trusted IP addresses or VPN networks. This reduces the attack surface while organizations work on applying the patch.

published: Nov. 5, 2025

Take action: If you use Control Web Panel (CWP) to manage your Linux servers, this is URGENT. Update immediately to version 0.9.8.1205 or later. Hackers are actively hacking the CWP and you can't really hide it without disabling functionality. If you can't patch, make the CWP management interface (ports 2083 and 2087) accessible via trusted IP addresses or VPN networks. Then check your systems for signs of compromise like unexpected user accounts or suspicious processes.

Learn More

CISA is warning of active exploitation of a critical remote command execution vulnerability in Control Web Panel (CWP), formerly known as CentOS Web Panel.

Control Web Panel is an open-source web hosting control panel designed to simplify Linux server management for system administrators and hosting providers. Originally developed as CentOS Web Panel, the software provides server administration capabilities for managing web servers running CentOS, Rocky Linux, and AlmaLinux distributions.

The flaw is tracked as CVE-2025-48703 (CVSS score: 9.0). It allows unauthenticated remote attackers with knowledge of a valid non-root username to execute arbitrary shell commands on vulnerable systems, potentially leading to complete server compromise.

The vulnerability is caysed by the changePerm endpoint in the in CWP's file manager module responsible for handling file permission changes. Security researcher Maxime Rinaudo discovered that the endpoint processes requests even when the per-user identifier parameter is omitted, allowing unauthenticated requests to reach code that expects an authenticated, logged-in user context. The t_total parameter—which functions as a file permission mode value in the chmod system command—is passed directly into a shell command without adequate sanitization or input validation. This creates an OS command injection vulnerability where attackers can inject shell metacharacters and arbitrary commands that the server will execute with the privileges of the targeted user account.

Attackers need to know or guess a valid non-root username on the target CWP installation. Security researchers note that usernames are often predictable, following common patterns like admin, user, webmaster, or company-specific naming conventions. Once an attacker identifies a valid username, they can craft a malicious HTTPS POST request to the file manager changePerm endpoint (filemanager&acc=changePerm) with a crafted t_total parameter value containing shell metacharacters and command injection payloads.

In proof-of-concept demonstrations, researchers successfully spawned reverse shells, dropped web shells for persistent access, created new backdoor accounts, modified system configurations, exfiltrated sensitive data, and pivoted to other systems within the network infrastructure.

All versions prior to 0.9.8.1205 are vulnerable to this critical command injection flaw. According to Shodan, over 220,000 CWP instances are currently internet-facing, though the exact number still running vulnerable versions remains unclear.

Control Web Panel version 0.9.8.1205, released on June 18, 2025, contains the security fix for this vulnerability.

Organizations running Control Web Panel should patch their systems ASAP.

Organizations that can't immediately patch their should restrict network access to CWP's management interface (typically port 2083 for user panel and port 2087 for admin panel) only from trusted IP addresses or VPN networks.

Security teams should conduct compromise assessments on all CWP installations to identify potential exploitation.

Indicators of compromise include:

unexpected network connections to external IP addresses,
suspicious chmod command executions in application or system logs that include shell metacharacters or unusual file permission patterns,
new or modified shell configuration files such as .bashrc, .bash_profile, or .profile,
unauthorized additions to SSH authorized_keys files,
suspicious cron jobs or scheduled tasks, n
ew user accounts that were not created through normal administrative processes,
connections to unfamiliar or suspicious external IP addresses,
unusual processes running with web server or application user privileges,
eb shell files or backdoor scripts in web-accessible directories.

CISA reports active exploitation of critical vulnerability in CentOS Web Panel

Read More
Path traversal vulnerability in Docker compose enables system …
ZITADEL Admin API flaw enables IDOR exploit
FBI warns that Barracuda ESG appliances should be …
Critical remote code execution flaw in Ollama AI …
Ivanti patches another two critical issues its Avalanche …