The U.S. Cybersecurity & Infrastructure Security Agency, widely known as CISA, has sounded the alarm over an actively exploited, critical remote command execution flaw discovered in the CentOS Web Panel (CWP). The agency’s alert stems from observations that threat actors are successfully exploiting this vulnerability, putting numerous Linux servers at risk.
CWP is a popular, free web hosting control panel frequently used by system administrators, web hosting providers, and operators of VPS or dedicated servers as an open-source alternative to commercial solutions like cPanel and Plesk. The widespread use of the panel means this flaw presents a significant and immediate risk across a large segment of the hosting infrastructure landscape. The vulnerability, officially tracked as CVE-2025-48703, is particularly dangerous because it grants a high level of unauthorized access. It allows a remote attacker to execute arbitrary shell commands on the CWP instance as the targeted user.
Crucially, the exploit is unauthenticated, meaning the attacker doesn’t need to log in, and only requires knowledge of a valid username on the affected system to successfully compromise it. This low barrier to exploitation is a primary factor contributing to the urgency of CISA’s warning. The issue affects all versions of CWP preceding 0.9.8.1204 and was publicly demonstrated on CentOS 7 systems by security researcher Maxime Rinaudo in late June.In response to the confirmed active exploitation, CISA has taken the necessary step of incorporating the vulnerability into its Known Exploited Vulnerabilities (KEV) catalog.
This action elevates the risk level associated with CVE-2025-48703 and triggers mandatory compliance for federal civilian executive branch agencies under the BOD 22-01 guidance. These federal entities are now under a strict deadline of November 25 to either apply the available security updates and vendor-provided mitigations or immediately discontinue the use of the vulnerable CWP product entirely to eliminate the security gap.A detailed technical write-up provided by the discovering security researcher, Maxime Rinaudo, shed light on the flaw’s core mechanism. The root cause lies within the file-manager ‘changePerm’ endpoint. This endpoint was found to improperly process incoming requests even when the expected per-user identifier was omitted.
This oversight allowed unauthenticated requests to bypass initial security checks and reach internal code that was intended only for a logged-in user. The failure to validate the user’s login state was the essential first step in the exploit chain.The second, equally critical factor was how the system handled a specific input parameter. The technical write-up highlighted that the ‘t_total’ parameter, which is intended to function as the file permission mode for the system’s $\text{chmod}$ command, was being passed into a shell command unsanitized. This oversight created a classic shell injection vulnerability, enabling the execution of arbitrary commands.
Rinaudo’s demonstration exploit utilized a specially crafted POST request to the vulnerable $\text{changePerm}$ endpoint, inserting a shell command into the $\text{t\_total}$ field to successfully spawn a reverse shell connection as the target user.
Reference:
