cbcvebase.
CVE-2025-48703
published 2025-09-19

CVE-2025-48703: CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total…

PriorityP199critical9CVSS 3.1
AVNACHPRNUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-25
Exploited in the wild
EPSS
99.59%
99.9th percentile
CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

Affected

2 ranges
VendorProductVersion rangeFixed in
centos-webpanelcentos_web_panel< 0.9.8.12050.9.8.1205
control-webpanelwebpanel< 0.9.8.12050.9.8.1205

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /{{username}}/index.php?module=filemanager&acc=changePerm
path/login/index.php
otherServer: cwpsrv
ip38.242.204.245
ip38.242.237.196
ip38.242.245.147
ip83.171.249.231
ip161.97.129.25
ip161.97.135.154
ip161.97.163.87
ip161.97.186.175
ip161.97.187.42
ip193.187.129.143
ip213.136.80.73
domainlastpass-login-help.com
urlhttps://spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com
urlhttps://cdn.cloudfront-js.com:8443/u
path/var/lib/.spm/
path/var/tmp/apt-daily-upgrade
filenamemonitor.py
filenamebootstrap.sh
filenamecheck.sh
filenameupdate.bin
filenameupdate-386.bin
filenameupdate-arm.bin
other_RPK = "6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo="
port27017
port8443
commandcurl {{interactsh-url}}
  • Exploit targets the `t_total` parameter in a multipart POST to `/<username>/index.php?module=filemanager&acc=changePerm`. Inject shell metacharacters (e.g., a curl OOB callback) in `t_total` to achieve RCE as the specified user.
  • Fingerprint CWP instances via the HTTP response header `Server: cwpsrv` and confirm via body strings `Control WebPanel` and `cwp` on the login page before exploitation.
  • PCPJack drops its orchestrator to disk as `monitor.py` under `/var/lib/.spm/` and installs a `sys-monitor.service` systemd unit for persistence. Detect unexpected systemd services with this name.
  • PCPJack stores its working files under the hidden directory `/var/lib/.spm/`. Presence of this directory or files `monitor.py`, `utils.py`, `_lat.py`, `_cu.py`, `_cr.py`, `_csc.py` within it is a strong indicator of compromise.
  • Sliver C2 binaries are dropped to `/var/tmp/apt-daily-upgrade` (x86_64), alongside `update-386.bin` and `update-arm.bin` variants. Monitor for ELF binaries in `/var/tmp/` with these names.
  • Exfiltration traffic is sent to Telegram C2 channels. Credentials are encrypted with X25519 ECDH + ChaCha20-Poly1305, split into 2800-byte chunks, and each chunk is prepended with a 🔒 emoji. Monitor for outbound Telegram API traffic from server-class hosts.
  • The attacker-controlled X25519 recipient public key embedded in `crypto_util.py` is `6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo=`. Presence of this string in any file on disk is a high-confidence IOC.
  • Check Point IPS signature name for this CVE is `CentOS Web Panel Command Injection (CVE-2025-48703)`. Use this signature name when querying IPS/SIEM logs.
  • The worm harvests credentials from `harvest.jsonl` on disk. Presence of this file in unexpected locations (e.g., home directories, /tmp) indicates active credential harvesting by PCPJack.
  • The second-stage credential harvester (`check.sh`) reads `/proc/*/environ` to extract secrets from running process environments. Monitor for scripts or processes accessing `/proc/*/environ` at scale.
  • ·Exploitation requires prior knowledge of a valid non-root username on the target CWP instance. Unauthenticated RCE is not possible without this prerequisite.
  • ·The Nuclei template is marked `verified: false` and uses out-of-band (OOB/interactsh) DNS callback for confirmation. False positives are possible if DNS interaction is not observed; HTTP response alone is insufficient for confirmation.
  • ·If the `cryptography` Python library is absent on the victim host, PCPJack silently falls back to sending credentials in plaintext to the C2, meaning exfiltrated data may not be encrypted in all infections.
  • ·The bootstrap script deletes itself after execution (`rm -f "$0"`), removing forensic evidence of the initial infection vector from disk.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.