About Remote Code Execution – Control Web Panel (CVE-2025-48703) vulnerability. Control Web Panel (CWP) is a free web-hosting control panel for RPM-based distributions. This web application provides a convenient interface for configuring and managing web servers (Apache, NGINX), databases (MySQL, MariaDB), mail systems (Postfix, Dovecot, Roundcube), DNS (BIND), and security tools (CSF, ModSecurity).
💡 Essence of the vulnerability: in the changePerm request of the filemanager module, there is a parameter called t_total, and its value is used as an argument to the system command chmod without sufficient validation. 🤷♂️ This allows an unauthenticated attacker to execute arbitrary shell commands on the CWP server. 😏
⚙️ Fixed in version 0.9.8.1205 on June 18, 2025.
🛠 On June 22, a detailed write-up appeared, followed soon by GitHub exploits.
👾 On November 4, the vulnerability was added to CISA KEV.
🌐 Shodan detects about 220,000 CWP installations online.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.