Full Report
A vulnerability has been discovered in CWP (aka Control Web Panel or CentOS Web Panel), which could allow for remote code execution. CWP, or Control Web Panel, is a free server administration tool for enterprise-based Linux distributions like CentOS, which simplifies managing web hosting services. The admin interface (accessible on port 2087 or 2031) and the user interface (accessible on port 2083) serve distinct roles in server management. There are both PHP based applications but the admin interface, secured by HTTPS on port 2087, is designed for system administrators and provides full control over the server, allowing tasks such as configuring web servers (Apache/NGINX), managing DNS, setting up email services, creating user accounts, monitoring resources, and implementing security measures like Config Server Firewall (CSF). It requires root or admin credentials for access. Successful exploitation of this vulnerability could allow an actor to bypass the authentication process and trigger a command injection in the application.
Analysis Summary
# Vulnerability: CWP Unauthenticated Remote Code Execution via Parameter Injection
## CVE Details
- CVE ID: CVE-2025-48703
- CVSS Score: Not explicitly provided, but described as leading to RCE, implying High severity.
- CWE: Not explicitly provided (Implied: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: CWP (Control Web Panel or CentOS Web Panel)
- Versions: Before version 0.9.8.1205
- Configurations: Affects filemanager operations on the administrative interface. Requires knowledge of a valid non-root username.
## Vulnerability Description
This vulnerability is an OS Command Injection flaw residing within the CWP application. An attacker can achieve unauthenticated Remote Code Execution (RCE) by sending a specially crafted request to the filemanager component (likely targeting the admin interface on port 2087/2031). The flaw is triggered by injecting shell metacharacters into the `t_total` parameter within a `filemanager changePerm` request. Successful exploitation allows the actor to bypass authentication and execute arbitrary system commands.
## Exploitation
- Status: PoC available in the wild.
- Complexity: Low (Implied by unauthenticated RCE possibility, though knowledge of a valid user is required).
- Attack Vector: Network
## Impact
- Confidentiality: High (RCE allows access to sensitive system data)
- Integrity: High (RCE allows modification or destruction of system data/configuration)
- Availability: High (RCE can lead to system compromise and denial of service)
## Remediation
### Patches
- Apply updates to CWP to version **0.9.8.1205 or later**.
### Workarounds
- The advisory does not list specific immediate workarounds beyond patching, but the vulnerability is tied to the filemanager functionality, suggesting limiting access to or monitoring activity on that specific application function might offer temporary relief until patching occurs.
## Detection
- **Indicators of Compromise (IoCs)**: Look for unusual activity related to the `filemanager changePerm` function calls containing shell metacharacters (e.g., `;`, `|`, `&`) within application logs associated with the CWP service.
- **Detection Methods and Tools**: Monitor network traffic for requests matching the described exploit pattern targeting CWP ports (2087, 2031, 2083). Utilize Endpoint Detection and Response (EDR) to flag unexpected command execution originating from the CWP process.
## References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48703
- Vendor/Advisory: https://fenrisk.com/rce-centos-webpanel