Full Report
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning that threat actors are exploiting a critical remote command execution flaw in CentOS Web Panel (CWP). [...]
Analysis Summary
# Vulnerability: Critical Remote Command Execution in CentOS Web Panel (CWP)
## CVE Details
- CVE ID: CVE-2025-48703
- CVSS Score: Not explicitly provided, but described as **critical** and actively exploited.
- CWE: Not explicitly available in the provided text.
## Affected Systems
- Products: CentOS Web Panel (CWP)
- Versions: All versions before 0.9.8.1204
- Configurations: Any instance accessible by an attacker who knows a valid username.
## Vulnerability Description
The vulnerability is a critical Remote Command Execution (RCE) flaw rooted in the file-manager’s `_changePerm_` endpoint. This endpoint processes requests even when the per-user identifier is omitted, allowing unauthenticated requests to reach logic designed for logged-in users. The subsequent unsanitized input in the `_t_total_` parameter, which dictates file permissions via the `chmod` command, is passed directly into a shell command, enabling shell injection and arbitrary command execution as the target user.
## Exploitation
- Status: **Exploited in the wild** (Added to CISA KEV catalog)
- Complexity: Low (Requires only a valid username and network access)
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary commands can be executed as the target user)
- Integrity: High (Arbitrary commands can be executed as the target user)
- Availability: High (Arbitrary commands can be executed, leading to system compromise)
## Remediation
### Patches
- **Fixed Version:** 0.9.8.1205
### Workarounds
- Stop using the product (as advised by CISA for federal entities if patching is not immediately possible).
## Detection
- **Indicators of compromise:** Monitoring network traffic for POST requests targeting the file-manager changePerm endpoint containing crafted `_t_total_` parameters designed to inject shell commands (e.g., commands spawning a reverse shell).
- **Detection methods and tools:** Utilize host-based intrusion detection systems (HIDS) or web application firewalls (WAFs) to inspect requests to CWP administrative endpoints for unexpected input within permission parameters.
## References
- Vendor Advisory (Fix released June 18): (Not explicitly linked, refers to version upgrade)
- CISA KEV Catalog Addition: cisa[.]gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Technical Write-up: fenrisk[.]com/rce-centos-webpanel