Urgent CISA Alert: Active Attacks Exploit Critical CentOS Bug
▼ Summary
– CISA warns that threat actors are exploiting a critical remote command execution vulnerability (CVE-2025-48703) in CentOS Web Panel (CWP).
– The vulnerability allows unauthenticated attackers with a valid username to execute arbitrary shell commands as that user on affected CWP instances.
– CISA added this flaw to its Known Exploited Vulnerabilities catalog and requires federal agencies to patch or stop using CWP by November 25.
– The security issue stems from improper request processing and unsanitized input in the file-manager ‘changePerm’ endpoint, enabling shell injection.
– CWP is a free web hosting control panel for Linux servers, and the flaw impacts all versions before 0.9.8.1204, with a fix released in version 0.9.8.1205.
A critical security flaw within the CentOS Web Panel (CWP) is now under active exploitation, prompting an urgent alert from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Federal agencies must apply available patches or discontinue use of the vulnerable software by November 25, in accordance with Binding Operational Directive 22-01. This directive highlights the immediate need for all organizations using CWP to address this high-severity vulnerability without delay.
Identified as CVE-2025-48703, the flaw enables unauthenticated remote attackers who know a valid username on a CWP instance to execute arbitrary shell commands with that user’s privileges. CentOS Web Panel is a widely adopted, free control panel for Linux server administration, serving as an open-source option for web hosting providers, system administrators, and operators of VPS or dedicated servers.
The vulnerability affects all CWP versions prior to 0.9.8.1204. Security researcher Maxime Rinaudo of Fenrisk demonstrated the exploit on CentOS 7 in late June. According to his technical analysis, the flaw stems from the file-manager ‘changePerm’ endpoint processing requests even when the per-user identifier is missing. This allows unauthenticated requests to access code that normally requires a logged-in user.
Additionally, the ‘ttotal’ parameter, which functions as a file permission mode for the chmod system command, is passed unsanitized into a shell command. This lack of sanitization opens the door to shell injection and arbitrary command execution. In Rinaudo’s proof-of-concept, a malicious POST request sent to the file-manager changePerm endpoint uses a manipulated ttotal value to inject a shell command, ultimately spawning a reverse shell under the targeted user account.
Rinaudo reported the vulnerability to CWP on May 13, and a patch was released on June 18 as part of version 0.9.8.1205. CISA has since added the flaw to its Known Exploited Vulnerabilities catalog, though the agency has not disclosed specifics regarding ongoing attacks, such as the identity of threat actors or their targets.
In the same update, CISA also cataloged CVE-2025-11371, a local file inclusion vulnerability affecting Gladinet CentreStack and Triofox products. Federal agencies have been given the same November 25 deadline to apply patches or cease using these products. Huntress identified this flaw as an actively exploited zero-day on October 10, and the vendor released a fix four days later in version 16.10.10408.56683.
Although CISA’s KEV catalog primarily guides U.S. federal agencies, every organization should monitor these alerts and prioritize remediation of listed vulnerabilities to protect their infrastructure from active threats.
(Source: Bleeping Computer)
