CVE-2025-48703
CVE-2025-48703
In short
CWP (Control Web Panel) before version 0.9.8.1205 has a critical flaw that lets attackers run malicious commands on the server without logging in. They exploit this by injecting shell commands into a file permission change request, as long as they know a non-root username.
Technical detail
CWE-78 OS command injection exists in the filemanager changePerm endpoint where the t_total parameter is not properly sanitized before being passed to shell execution. An unauthenticated attacker can inject shell metacharacters to achieve remote code execution, provided they possess a valid non-root username. The vulnerability affects versions prior to 0.9.8.1205.
Summary generated and translated by AI from the official description.
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
centos-webpanel · CentOS Web Panelpublic PoCs found — 3
githubgithub.com/Skynoxk/CVE-2025-48703★ 4githubgithub.com/ftz7/PoC-CVE-2025-48703★ 2githubgithub.com/itstarsec/CVE-2025-48703★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →