CVE-2025-48703
BaseFortify
Publication date: 2025-09-19
Last updated on: 2025-11-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| control-webpanel | webpanel | to 0.9.8.1205 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-48703 is a remote code execution vulnerability in CentOS Web Panel (CWP) before version 0.9.8.1205. It allows an unauthenticated remote attacker who knows a valid non-root username to execute arbitrary commands on the server. The vulnerability exists in the user panel's file management feature, specifically in the 'changePerm' action where the 't_total' parameter, intended to specify file permissions, is not properly sanitized and is directly passed to a shell command. This enables command injection, allowing attackers to run malicious commands with the privileges of the targeted user. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on your server. An attacker can bypass authentication and execute arbitrary commands with the privileges of a valid non-root user, potentially leading to data theft, server compromise, installation of malware, or further attacks within your network. Because the attacker does not need valid credentials beyond a username, the risk of exploitation is significant. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/myuser/index.php?module=filemanager&acc=changePerm` on the CWP user interface (typically port 2083). Look for requests containing the `t_total` parameter with unusual or shell metacharacters indicating command injection attempts. Network intrusion detection systems (NIDS) can be configured to alert on such patterns. Additionally, checking web server logs for POST requests to this endpoint with unexpected `t_total` values or requests missing authentication cookies but still processed can indicate exploitation attempts. Example commands to detect such activity include: 1) Using grep on web server logs: `grep 'module=filemanager&acc=changePerm' /var/log/httpd/access_log | grep -E 't_total=.*[;&|$]'` 2) Using tcpdump to capture suspicious POST requests: `tcpdump -A -s 0 'tcp port 2083 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 't_total='` [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade CWP to version 0.9.8.1205 or later, where the vulnerability is patched. 2) Restrict access to the CWP user interface (port 2083) by firewall rules to trusted IP addresses only. 3) Monitor and block suspicious POST requests to the vulnerable endpoint `/myuser/index.php?module=filemanager&acc=changePerm`. 4) If upgrading immediately is not possible, consider disabling the filemanager permission change functionality or restricting it to authenticated users only. 5) Review server logs for signs of exploitation and respond accordingly. [1]