CVE-2025-48703

CVSS v3.1

9.0

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Control Web Panel (CWP) versions prior to 0.9.8.1205

Description CWP (also known as CentOS Web Panel) is susceptible to an unauthenticated remote code execution issue. An attacker with a valid, non-root username can exploit this flaw to execute arbitrary shell commands on the server. The vulnerability resides in the

filemanager

module, specifically within the

changePerm

request, where the

t total

parameter lacks sufficient input validation. This allows an attacker to inject shell metacharacters into the parameter, leading to command execution. The vulnerability has been actively exploited in the wild, with reports of over 1.8 million potentially vulnerable instances. The vulnerable endpoint is

/admin/loader ajax.php?ajax=filemanager&acc=changePerm

, and the vulnerable parameter is

t total

. The vulnerability allows attackers to execute commands by manipulating the

t total

parameter.

Recommendations Upgrade CWP to version 0.9.8.1205 or later.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2025-07803

CVE-2025-48703

Affected Products

Centos Web Panel

CVE-2025-48703

Weakness Enumeration

Related Identifiers

Affected Products

References · 58