CVE-2025-48703

Name of the Vulnerable Software and Affected Versions Control Web Panel (CWP) versions prior to 0.9.8.1205

Description CWP (also known as CentOS Web Panel) is affected by a critical remote code execution (RCE) issue. An unauthenticated attacker, possessing a valid (non-root) username, can execute arbitrary commands on a vulnerable system. The vulnerability stems from insufficient input validation of the

t total

parameter within a request to

/admin/loader ajax.php?ajax=filemanager&acc=changePerm

. Specifically, the application directly incorporates user-supplied input into shell commands without proper sanitization, allowing for command injection. Exploitation involves crafting a malicious POST request to this endpoint, enabling the attacker to execute commands in the context of the CWP process. Reports indicate active exploitation of this vulnerability in the wild, with over 1.8 million potentially vulnerable instances identified. The vulnerability allows attackers to gain full control of the server, potentially leading to data compromise, backdoors, and further network intrusion. The vulnerable endpoint is

/admin/loader ajax.php?ajax=filemanager&acc=changePerm

and the vulnerable parameter is

t total

.

Recommendations Control Web Panel versions prior to 0.9.8.1205 should be updated to version 0.9.8.1205 or later.