CISA Adds Actively Exploited Control Web Panel RCE Flaw to KEV

CISA Warns of Active Exploitation of Critical RCE Vulnerability (CVE-2025-48703) in Control Web Panel, Adds to KEV Catalog

CRITICAL
November 6, 2025
November 7, 2025
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities(initial)

Organizations

CISA

Products & Tech

Control Web Panel (CWP)

CVE Identifiers

CVE-2025-48703
CRITICAL
CVSS:9
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1059.004Execution

Unix Shell

Full Report(when first published)

Executive Summary

On November 5, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48703, a critical OS command injection vulnerability in Control Web Panel (CWP), to its Known Exploited Vulnerabilities (KEV) catalog. This action serves as a definitive warning that the vulnerability is under active attack by threat actors. The flaw, which can lead to unauthenticated remote code execution (RCE), affects a widely used free Linux web hosting management panel, putting countless servers at risk of complete compromise. In response, CISA has set a deadline of November 25, 2025, for U.S. federal agencies to apply patches. All other organizations using CWP are strongly advised to prioritize remediation immediately to prevent system takeover.

Vulnerability Details

CVE-2025-48703 is an OS command injection vulnerability in Control Web Panel (formerly CentOS Web Panel). It allows a remote attacker to execute arbitrary commands on the server with the privileges of the web server user.

The flaw exists in the file manager's changePerm endpoint. An attacker can inject shell metacharacters into the t_total parameter of an HTTPS POST request sent to this endpoint. While the endpoint requires authentication, researchers found that the authentication check could be bypassed if the attacker knows or can guess a valid, non-root username on the CWP instance. Since usernames like admin or the server's domain name are common, this prerequisite is often easy to meet.

Example of a malicious request body:

{
  "t_total": "';/usr/bin/id > /usr/local/cwpsrv/htdocs/resources/admin/modules/file_manager/test.txt;'"
}

This would execute the id command and write the output to a web-accessible file, confirming the RCE.

Affected Systems

  • Control Web Panel (CWP) versions prior to 0.9.8.1205.

The patch was released in June 2025, but any server that has not been updated since then remains vulnerable.

Exploitation Status

This vulnerability is being actively exploited in the wild. CISA's addition of CVE-2025-48703 to the KEV catalog is based on concrete evidence of ongoing attacks. Threat actors are likely scanning the internet for vulnerable CWP instances to compromise them for use in botnets, crypto-mining operations, or as launch points for other attacks.

Impact Assessment

Successful exploitation of this vulnerability leads to a complete compromise of the web server. An attacker can:

  • Host Malicious Content: Deface websites, host phishing pages, or distribute malware.
  • Steal Data: Access and exfiltrate all data from the websites hosted on the server, including databases and user credentials.
  • Gain a Foothold: Use the compromised server as a pivot point to attack other systems within the internal network.
  • System Resource Abuse: Install crypto-miners or add the server to a botnet for DDoS attacks.

For web hosting providers, a single compromised CWP instance could lead to the breach of hundreds or thousands of their customers' websites.

Cyber Observables for Detection

Type Value Description Context Confidence
url_pattern /usr/local/cwpsrv/htdocs/resources/admin/modules/file_manager/ The path to the vulnerable changePerm endpoint. Monitor web server access logs for POST requests to this specific path. high
command_line_pattern t_total parameter with shell metacharacters The t_total parameter in a POST request body containing characters like ;, ` , &, or `` ``. Inspect the body of POST requests in WAF logs or network traffic captures.
file_name Unexpected files appearing in web-accessible directories. A common post-exploitation step is to write a file to confirm RCE or to drop a web shell. Use File Integrity Monitoring (FIM) on web root directories. medium

Detection Methods

  1. Web Application Firewall (WAF): Implement a WAF rule to inspect POST requests to the CWP file manager endpoint and block any that contain shell metacharacters in the t_total parameter. This is a form of D3-ITF: Inbound Traffic Filtering.
  2. Log Analysis: Ingest CWP access logs into a SIEM and create alerts for POST requests to the vulnerable endpoint, especially if they originate from unusual IP addresses or occur in high frequency.
  3. Vulnerability Scanning: Regularly scan public-facing assets with a vulnerability scanner to identify any servers running a vulnerable version of CWP.

Remediation Steps

  1. Update CWP: The only definitive solution is to update CWP to version 0.9.8.1205 or later. CWP typically has an auto-update feature, but administrators should manually verify that the update has been applied. This is a direct application of D3-SU: Software Update.
  2. Restrict Access: If immediate patching is not possible, restrict access to the CWP admin portal (typically on port 2031) to only trusted IP addresses via firewall rules. This significantly reduces the attack surface.
  3. Post-Update Hardening: After updating, review all user accounts on the CWP instance and remove any that are unnecessary. Enforce strong, unique passwords for all remaining accounts.

Timeline of Events

1
June 1, 2025
CWP version 0.9.8.1205 is released, patching CVE-2025-48703.
2
November 5, 2025
CISA adds CVE-2025-48703 to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active attacks.
3
November 6, 2025
This article was published

Article Updates

November 7, 2025

New details confirm root-level RCE for CVE-2025-48703 in CWP, CISA advises discontinuing use if unpatchable.

Update Sources:
medium.comCyber Briefing: 2025.11.07. What are the latest cybersecurity…
radiocsirt.comRadioCSIRT - Your Cybersecurity update for Friday, November 7, 2025 (Ep. 478)

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to update Control Web Panel to version 0.9.8.1205 or later, which contains the patch for this vulnerability.

Mapped D3FEND Techniques:

D3-SU

Exploit Protection

M1050enterprise

Use a Web Application Firewall (WAF) to filter inbound requests and block attempts to inject shell commands into the 't_total' parameter.

Mapped D3FEND Techniques:

D3-ITF

Limit Access to Resource Over Network

M1035enterprise

Restrict network access to the CWP management portal to only trusted IP addresses to reduce the attack surface.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The addition of CVE-2025-48703 to the CISA KEV catalog makes software update an urgent, non-negotiable action. All administrators of servers running Control Web Panel must immediately verify their installed version. If the version is prior to 0.9.8.1205, an update must be performed without delay. This should be treated as an emergency change. Before updating, it is prudent to take a snapshot or backup of the server. The update can typically be initiated from the CWP dashboard or via a command-line script provided by CWP. After the update is complete, administrators must verify that the new version is active and that all hosted websites are functioning correctly. Failure to patch leaves the server exposed to an active, ongoing threat that can lead to a full compromise.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1031
D3FEND

As a defense-in-depth measure, Inbound Traffic Filtering via a Web Application Firewall (WAF) can effectively block exploit attempts against CVE-2025-48703. A custom WAF rule should be created to inspect the body of all POST requests sent to the CWP server. The rule should specifically look for the parameter t_total and check its value for common shell metacharacters such as semicolons (;), pipes (|), ampersands (&), and backticks (). If these characters are detected within the t_total` parameter's value, the request should be blocked, and a high-priority alert should be generated. This provides a strong virtual patch that can protect the server even before the CWP software itself has been updated, and it offers continued protection against similar injection-style attacks in the future.

Sources & References(when first published)

CISA warns of critical CentOS Web Panel bug exploited in attacks
BleepingComputerNovember 5, 2025
CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence
The Hacker NewsNovember 5, 2025
CISA Warns of CWP Vulnerability Exploited in the Wild
SecurityWeekNovember 5, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISAKEVVulnerabilityRCECVE-2025-48703Control Web PanelWeb Hosting

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next