The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning that threat actors are exploiting a critical remote command execution flaw in CentOS Web Panel (CWP).
The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and is giving federal entities subject to the BOD 22-01 guidance until November 25 to apply available security updates and vendor-provided mitigations, or stop using the product.
Tracked as CVE-2025-48703, the security issue allows remote, unauthenticated attackers with knowledge of a valid username on a CWP instance to execute arbitrary shell commands as that user.
CWP is a free web hosting control panel used for Linux server management, marketed as an open-source alternative to commercial panels like cPanel and Plesk. It is widely used by web hosting providers, system administrators, and VPS or dedicated server operators.
The issue impacts all CWP versions before 0.9.8.1204 and was demonstrated on CentOS 7 in late June by Fenrisk security researcher Maxime Rinaudo.
In a detailed technical write-up, the researcher explains that the root cause of the flaw is the file-manager ‘changePerm’ endpoint processing requests even when the per-user identifier is omitted, allowing unauthenticated requests to reach code that expects a logged-in user.
Furthermore, the ‘t_total’ parameter, which works as a file permission mode in the chmod system command, is passed unsanitized into a shell command, allowing shell injection and arbitrary command execution.
In Rinaudo's exploit, a POST request to the file-manager changePerm endpoint with a crafted t_total injects a shell command and spawns a reverse shell as the target user.
POST request that triggers command injection on the application
Source: Fenrisk
... continue reading