CVE-2025-48703 — Actively Exploited: Control Web Panel (CWP)
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
| CVE ID | CVE-2025-48703 |
|---|---|
| Vendor | CWP |
| Product | Control Web Panel |
| Vulnerability name | CWP Control Web Panel OS Command Injection Vulnerability |
| Date added | 2025-11-04 |
| Remediation due | 2025-11-25 |
| Known ransomware use | Unknown |
| Required action | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| Description | CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. |
| Source | CISA Known Exploited Vulnerabilities |
🔍 Search all exploited vulnerabilities →
$1499/mo
Try ExploitWatch →