Urgent: Critical Web Panel Flaw Actively Exploited (CVE-2025-48703)
▼ Summary
– CISA added two vulnerabilities (CVE-2025-11371 and CVE-2025-48703) to its Known Exploited Vulnerabilities catalog on Tuesday.
– CVE-2025-48703 is a critical OS command injection flaw in Control Web Panel that allows unauthenticated remote code execution.
– Exploitation of CVE-2025-48703 requires attackers to know or guess a valid non-root username, which is often predictable.
– Over 220,000 internet-facing CWP instances exist, and users should upgrade to version 0.9.8.1205 or later to patch the vulnerability.
– Additional mitigation steps include restricting access to port 2083, monitoring for signs of compromise, and using intrusion detection systems.
A critical security vulnerability within Control Web Panel (CWP) is now under active exploitation, posing a significant threat to web hosting environments. The Cybersecurity and Infrastructure Security Agency (CISA) has officially added this flaw, designated CVE-2025-48703, to its Known Exploited Vulnerabilities catalog. This action highlights the immediate danger it presents to servers managed by this popular control panel software.
Control Web Panel serves as a comprehensive management tool for servers operating on CentOS and its derivatives, including Rocky Linux and AlmaLinux. It is widely adopted by administrators of virtual private servers and dedicated hosting environments to oversee web services, databases, email systems, and DNS configurations. The platform offers both a no-cost edition with fundamental management capabilities and a professional, paid version that includes enhanced security protections and automated update features.
The specific vulnerability, CVE-2025-48703, is a severe OS command injection weakness. It enables unauthenticated attackers to execute arbitrary commands on the underlying server by manipulating the `t_total` parameter within a file manager request. This type of flaw can be exploited remotely without any form of user interaction or prior authentication, though it does require the attacker to identify a valid, non-root username on the target system. Unfortunately, such usernames are frequently easy to predict or guess, lowering the barrier for a successful attack.
Once an attacker submits a maliciously crafted HTTPS request to the vulnerable endpoint, they can run operating system commands with the privileges of the identified user. This access can be leveraged to install malicious web shells, establish persistent backdoors, move laterally across the network, or attempt to escalate privileges further based on existing system misconfigurations.
Following the public release of a technical analysis and proof-of-concept exploit code in late June 2025, security researchers observed a rapid increase in exploit development within hacking communities. It was only a short time before active exploitation attempts began appearing in the wild. Current internet scans indicate that more than 220,000 CWP instances are exposed online, though the exact number running a vulnerable software version is unknown.
The vulnerability impacts all CWP versions prior to 0.9.8.1205. System administrators are urged to take the following steps immediately:
- Upgrade the control panel to version 0.9.8.1205 or a newer release without delay.
- Staying informed about emerging threats is a cornerstone of modern cybersecurity.
To receive immediate alerts about critical vulnerabilities and active incidents, consider subscribing to dedicated security notification services.
(Source: HelpNet Security)
