CVE-2025-48703
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-11-05

Assigner: MITRE

Description
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-11-05
Generated
2026-06-16
AI Q&A
2025-09-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-48703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
control-webpanel webpanel to 0.9.8.1205 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-48703 is a remote code execution vulnerability in CentOS Web Panel (CWP) before version 0.9.8.1205. It allows an unauthenticated remote attacker who knows a valid non-root username to execute arbitrary commands on the server. The vulnerability exists in the user panel's file management feature, specifically in the 'changePerm' action where the 't_total' parameter, intended to specify file permissions, is not properly sanitized and is directly passed to a shell command. This enables command injection, allowing attackers to run malicious commands with the privileges of the targeted user. [1]

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on your server. An attacker can bypass authentication and execute arbitrary commands with the privileges of a valid non-root user, potentially leading to data theft, server compromise, installation of malware, or further attacks within your network. Because the attacker does not need valid credentials beyond a username, the risk of exploitation is significant. [1]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint `/myuser/index.php?module=filemanager&acc=changePerm` on the CWP user interface (typically port 2083). Look for requests containing the `t_total` parameter with unusual or shell metacharacters indicating command injection attempts. Network intrusion detection systems (NIDS) can be configured to alert on such patterns. Additionally, checking web server logs for POST requests to this endpoint with unexpected `t_total` values or requests missing authentication cookies but still processed can indicate exploitation attempts. Example commands to detect such activity include: 1) Using grep on web server logs: `grep 'module=filemanager&acc=changePerm' /var/log/httpd/access_log | grep -E 't_total=.*[;&|$]'` 2) Using tcpdump to capture suspicious POST requests: `tcpdump -A -s 0 'tcp port 2083 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 't_total='` [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Upgrade CWP to version 0.9.8.1205 or later, where the vulnerability is patched. 2) Restrict access to the CWP user interface (port 2083) by firewall rules to trusted IP addresses only. 3) Monitor and block suspicious POST requests to the vulnerable endpoint `/myuser/index.php?module=filemanager&acc=changePerm`. 4) If upgrading immediately is not possible, consider disabling the filemanager permission change functionality or restricting it to authenticated users only. 5) Review server logs for signs of exploitation and respond accordingly. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-48703. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart