What is CWP Control Web Panel?
CWP (Control Web Panel, formerly CentOS Web Panel) is a free Linux web hosting control panel widely used by web hosting providers and system administrators to manage shared hosting environments — similar to cPanel but free. CWP manages Apache/Nginx web servers, PHP, MySQL/MariaDB, email (Postfix, Dovecot), FTP, DNS, and SSL certificates from a web-based admin interface. Its file manager allows administrators and users to manage files on the server directly from the browser. Because CWP manages the entire hosting stack with root-equivalent privileges, a remote code execution vulnerability on the panel is equivalent to full server takeover. Over 220,000 CWP instances are internet-facing according to Shodan.
Overview
CVE-2025-48703 is a critical OS command injection vulnerability (CWE-78, CVSS 9.0) in CWP's file manager changePerm functionality. Shell metacharacters in the t_total parameter are passed unsanitized to an OS command. The only prerequisite beyond network access is knowing a valid non-root username on the server — a condition trivially satisfied on shared hosting platforms where usernames are often predictable or publicly visible. The High Complexity (AC:H) CVSS rating reflects this prerequisite. The Scope:Changed (S:C) rating reflects that code executes in the hosting control panel context, crossing boundaries into the underlying OS. Researcher Rinaudo discovered and reported the vulnerability in May 2025; CWP patched it in version 0.9.8.1205, and CISA added it to the KEV catalog in November 2025.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| CWP Control Web Panel | All versions before 0.9.8.1205 | 0.9.8.1205 |
Confirmed vulnerable: CWP 0.9.8.1204 and 0.9.8.1188 on CentOS 7 (and likely all prior versions).
Technical Details
The vulnerability (CWE-78: OS Command Injection) is in the file manager's changePerm action, accessed via the URL pattern:
/filemanager&acc=changePerm
The t_total parameter — intended to convey file permission data — is passed directly to a shell command without sanitization or proper quoting. By embedding shell metacharacters (;, |, backticks, $()) in the t_total value, an attacker injects arbitrary commands that execute alongside the intended permission command.
The attack requires supplying a valid non-root Linux username. On typical shared hosting servers managed by CWP, usernames follow predictable patterns (matching domain names, customer IDs, or cPanel-style short usernames). Many servers also expose usernames through public-facing websites, FTP banners, or email headers. The injected commands execute with the privileges of the local user account — which, on many CWP installations, can be further escalated to root using local privilege escalation techniques.
Discovery
Discovered by researcher Rinaudo, who reported the vulnerability to the CWP development team on May 13, 2025. After the patch was released in version 0.9.8.1205 (June 2025), Rinaudo published a detailed write-up with proof-of-concept code in late June 2025.
Exploitation Context
Exploitation began following Rinaudo's public write-up, with PoC exploit code appearing on GitHub. Over 220,000 internet-facing CWP instances were identified by Shodan at the time of disclosure — a large attack surface for automated exploitation. CISA added CVE-2025-48703 to the KEV catalog on 4 November 2025 confirming active exploitation. Observed post-exploitation: web shell deployment, persistence establishment, and lateral movement across hosted sites on the compromised server. No specific threat actor group has been publicly attributed.
Remediation
- Update CWP to version 0.9.8.1205 or later via the CWP built-in updater: Admin Panel → CWP Settings → Update CWP, or via the command line:
sh /scripts/update_cwp. - Restrict CWP admin panel access: apply firewall rules (iptables or firewalld) to limit access to the CWP admin port (typically 2030/2031 and 2086/2087) to trusted administrative IPs only. Do not expose the admin panel to the internet.
- Audit for post-compromise indicators: check for unexpected files in web directories, new cron jobs, new system users, or unusual network connections from hosted user accounts.
- Enumerate publicly exposed usernames: audit your server for any mechanisms that leak system usernames (FTP banners, email headers, directory listings) and eliminate unnecessary disclosure.
- Consider migrating from CWP to an actively maintained hosting panel with a stronger security track record if long-term security is a concern.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-48703 |
| Vendor / Product | CWP — Control Web Panel |
| NVD Published | 2025-09-19 |
| NVD Last Modified | 2025-11-05 |
| CVSS 3.1 Score | 9 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2025-11-04 |
| CISA KEV Deadline | 2025-11-25 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-05-13 | Researcher Rinaudo reports vulnerability to CWP developers |
| 2025-06-01 | CWP 0.9.8.1205 released — patching the command injection |
| 2025-06-25 | Rinaudo publishes write-up with PoC; exploit code appears on GitHub |
| 2025-09-19 | CVE published |
| 2025-11-04 | CISA adds to Known Exploited Vulnerabilities catalog |
| 2025-11-25 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| CWP Changelog (version 0.9.8.1205) | Vendor Advisory |
| NVD — CVE-2025-48703 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Help Net Security — CWP CVE-2025-48703 Exploited | News |
| op-c.net — Critical RCE in CentOS Web Panel CVE-2025-48703 | Security Research |
| runZero — CWP Instance Exposure Analysis | Security Research |