CVE Alert: CVE-2025-48703 - centos-webpanel - CentOS Web Panel

CVE-2025-48703

CRITICALExploitation active

CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

CVSS v3.1 (9)

Vendor

centos-webpanel

Product

CentOS Web Panel

Versions

0 lt 0.9.8.1205

CWE

CWE-78, CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Published

2025-09-19T00:00:00.000Z

Updated

2025-11-04T18:44:39.121Z

References

https://fenrisk.com/rce-centos-webpanel

AI Summary Analysis

Risk verdict

Critical risk; exploitation is active per SSVC and the finding is KEV-listed, so treat as priority 1.

Why this matters

Unauthenticated remote code execution with full impact on a management panel means an attacker can take complete control, exfiltrate data, install backdoors, and pivot within the environment. Realistic attacker goals include data theft, defacement, disruption of services, and further internal access.

Most likely attack path

An attacker with a valid non-root user account targets the internet-facing management interface. They exploit a command-injection flaw in a file-management action by injecting shell metacharacters via a problematic parameter, achieving remote code execution and broad impact due to scope change. The CVSS hints at network access, no user interaction, and high impact, so preconditions are modest but preclude automated broad scanning; attacker’s foothold relies on a single user credential and exposed endpoint.

Who is most exposed

Common in self-hosted, internet-facing deployments of such management panels, often on cloud or on-prem servers with weak network segmentation or credential hygiene.

Detection ideas

Unusual t_total parameter values containing shell operators or command payloads during file-management requests.
New or modified web shells/processes spawned under the web service user.
Unexpected outbound connections or data transfers following a login to the panel.
spikes in CPU/IO after access attempts to the management endpoint.
Logs showing non-root user activity performing file-manager actions.

Mitigation and prioritisation

Apply the latest patched release; treat as priority 1 due to KEV and active exploitation.
Restrict access to the management interface (IP allowlists, VPN, MFA).
Deploy WAF rules to block command-injection patterns and monitor for malicious payloads.
Enforce least privilege for accounts, rotate credentials, and disable unauthorised access methods.
Plan a rapid change window for remediation and verify in staging before production.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: centos-web-panel, centos-webpanel, CVE, cve-2025-48703, OSINT, threatintel