On Tuesday, CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-11371, which affects Gladinet’s CentreStack and Triofox file-sharing and remote access platforms, and CVE-2025-48703, a vulnerability in Control Web Panel (CWP), a web hosting control panel designed for managing servers running CentOS or CentOS-based distributions.
While active exploitation of CVE-2025-11371 has been reported on since early October 2025, exploitation attempts involving CVE-2025-48703, though detected by cybersecurity professionals, have so far been less widespread (or observed).
What is Control Web Panel (CWP)?
CWP is server management software that runs on CentOS (whos development was discontinued in late 2020) and its community-driven successors, Rocky Linux and AlmaLinux.
CWP users can opt for the free version what offers core features for single-server management, and a (paid) Pro version with better security, automatic updates, and improved support.
The software is popular with virtual private server (VPS) and dedicated server operators and is used to manage services like web servers, databases, email servers, DNS, as well as security features.
About CVE-2025-48703
CVE-2025-48703 is a critical OS Command Injection flaw that “allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request.”
The vulnerability’s current CVSS string indicates that it’s exploitable remotely over a network, without prior authentication or user interaction, but also that it’s not trivially exploitable.
Maxime Rinaudo, co-founder of penetration testing firm Fenrisk, explained that attackers must know or guess a valid non-root username to bypass authentication requirements before exploiting CVE-2025-48703. The bad news is that such usernames are often predictable.
CVE-2025-48703 is triggered by sending a HTTPS request with a specially crafted t_total value to the user file manager endpoint (filemanager&acc=changePerm), and allows attackers to run commands as that local user. Thus, an attacker can drop web shells, create persistence, pivot, or escalate further depending on local misconfigurations.
What to do?
With Rinaudo’s technical write-up and PoC published in late June 2025 and other PoC exploits appearing on GitHub since, it was only a matter of time until attackers began attempting to exploit the flaw.
In July 2025, FindSec researchers noted that “exploits are being actively developed and shared in hacking forums,” and advised organization runing CWP to manage Linux-based web hosting environments to patch quickly.
According to Shodan, there are currently over 220,000 internet-facing CWP instances, though it remains unclear how many are still running a vulnerable version.
CVE-2025-48703 affects CWP versions before 0.9.8.1205, released in June 2025.
Users should:
- Upgrade to version 0.9.8.1205 or later.
- Restrict access to port 2083 (the user interface) to trusted IPs.
- Look for signs of compromise, e.g., unexpected reverse shell connections, suspicious chmod executions in logs, new or modified .bashrc, .ssh, or cron entries, connections to unfamiliar IP addresses, and unknown user accounts. If found, the host should be isolated, logs preserved, and a forensic investigation mounted.
- Use intrusion detection systems to detect/block exploitation attempts.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!