CVE-2025-48703 — Vulnetix

CVE-2025-48703 PUBLISHED KEV CVSS 9 CRITICAL

CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

EPSS 67.40% · 98.6th percentile

Risk Scores

CVSS v3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

67.40%

98.6th percentile

Affected Products

Vendor	Product	Versions
centos-webpanel	centos_web_panel	0
control-webpanel	webpanel	0
centos-webpanel	CentOS Web Panel	0

Timeline

Jun 24, 2025 PoC Published
Jun 24, 2025 PoC Published
Jun 24, 2025 PoC Published
Jun 25, 2025 PoC Published
Jun 26, 2025 PoC Published
Jun 28, 2025 PoC Published
Jul 2, 2025 PoC Published
Aug 17, 2025 PoC Published
Sep 19, 2025 CVE Published
Sep 19, 2025 PoC Published
Sep 19, 2025 PoC Published
Sep 19, 2025 PoC Published

References

https://fenrisk.com/rce-centos-webpanel url
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48703 url
https://control-webpanel.com/changelog url
https://nvd.nist.gov/vuln/detail/CVE-2025-48703 advisory

Open in Interactive Console →