CVE-2025-48703
CWP Control Web Panel OS Command Injection Vulnerability
CVSS
—
No CVSS
EPSS
99.6%
p100
KEV
YES
Nov 4, 2025
Exploit Today
80
0-100
Published: — · Last modified: —
Product
CWP / Control Web Panel
Vulnerability
CWP Control Web Panel OS Command Injection Vulnerability
Added to KEV
Nov 4, 2025
Remediate by
Nov 25, 2025
Known ransomware use
No
Summary description
CWP Control Web Panel (formerly CentOS Web Panel) contains an OS command Injection vulnerability that allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes
https://control-webpanel.com/changelog ; https://nvd.nist.gov/vuln/detail/CVE-2025-48703