CVE-2025-48703
Published: 19 September 2025
Summary
CVE-2025-48703 is a critical-severity OS Command Injection (CWE-78) vulnerability in Control-Webpanel Webpanel. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by validating and sanitizing the t_total parameter against shell metacharacters in filemanager changePerm requests.
SI-2 requires timely patching of the vulnerable CWP versions before 0.9.8.1205 to remediate the RCE flaw.
RA-5 vulnerability scanning identifies the presence of CVE-2025-48703 in deployed CWP instances for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via OS command injection on public-facing web panel (CWP) enables exploitation of public-facing applications.
NVD Description
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Deeper analysisAI
CVE-2025-48703 is a critical remote code execution vulnerability (CVSS 9.0, CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) in Control Web Panel (CWP), also known as CentOS Web Panel, affecting versions before 0.9.8.1205. The flaw, classified under CWE-78 (OS Command Injection), arises from improper handling of shell metacharacters in the t_total parameter during a filemanager changePerm request, allowing unauthenticated attackers to inject and execute arbitrary commands.
An unauthenticated remote attacker can exploit this vulnerability over the network if they know a valid non-root username on the target system. While exploitation requires high attack complexity, it demands no privileges or user interaction. Successful attacks enable arbitrary code execution with changed scope, resulting in high impacts to confidentiality, integrity, and availability, potentially leading to full server compromise.
Advisories recommend updating to CWP version 0.9.8.1205 or later for mitigation, as detailed in the vendor changelog at control-webpanel.com/changelog. Further technical analysis is available from fenrisk.com/rce-centos-webpanel, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog at cisa.gov/known-exploited-vulnerabilities-catalog.
Details
- CWE(s)
- KEV Date Added
- 04 November 2025