CVE-2025-48703 - CWP Control Web Panel OS Command Injection Vulnerability
Project:CWP
Product:Control Web Panel
Date Added:2025-11-04Due Date:2025-11-25
Vulnerability Name
CWP Control Web Panel OS Command Injection Vulnerability
Description
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://control-webpanel.com/changelog
https://nvd.nist.gov/vuln/detail/CVE-2025-48703
Related News Articles
CISA warns of critical CentOS Web Panel bug exploited in attacksNovember 6, 2025
Critical Control Web Panel vulnerability is actively exploited (CVE-2025-48703)November 5, 2025
CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation EvidenceNovember 5, 2025