A critical remote code execution vulnerability in CentOS Web Panel, tracked as CVE-2025-48703, is currently being exploited in the wild. This flaw, which affects versions of CWP before 0.9.8.1205, allows unauthenticated attackers to execute arbitrary code by leveraging shell metacharacters in the `t_total` parameter during a filemanager changePerm request. However, attackers must first obtain a valid non-root username to exploit this vulnerability.
The vulnerability has been assigned a CVSS score of 9, indicating its critical nature, and it has been included in the Known Exploited Vulnerabilities (KEV) catalog as of November 4, 2025. The Exploit Prediction Scoring System (EPSS) rates it at 0.620, reflecting a significant likelihood of exploitation. Notably, proof-of-concept exploits are already available, with three distinct PoCs circulating, underscoring the urgency for administrators to address this issue.
The time to exploitation in the wild was notably swift, occurring within 46 days of the vulnerability's disclosure on September 19, 2025. This rapid exploitation highlights the need for immediate attention from organizations using CentOS Web Panel to mitigate potential risks.
Administrators are urged to update to the latest version of CWP to protect against this vulnerability. Given the critical nature of the flaw and its active exploitation, organizations should prioritize patching and verify that their systems are not compromised. The Security System Vulnerability Classification (SSVC) recommends attending to this issue promptly to prevent unauthorized access and potential system compromise.
CSURFACE