CISA adds CVE-2025-48703 to KEV: Secure your CWP now

At a glance: CVE-2025-48703, a critical remote code execution flaw in Control Web Panel (CWP), has been added to the Known Exploited Vulnerabilities catalog. Where applicable, Field Effect MDR clients have already been issued ARO alerts with remediation instructions to mitigate this threat.

Threat summary

On November 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48703 to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the vulnerability is being actively exploited in the wild.

The flaw affects CWP (Control Web Panel or, formerly, CentOS Web Panel), a free Linux server management interface widely used by hosting providers, virtual private server (VPS) operators, and dedicated server environments.

The vulnerability impacts internet-facing CWP installations running unpatched versions. According to the National Vulnerability Database, CVE-2025-48703 affects all CWP versions prior to 0.9.8.1205, indicating that this release contains the fix.

However, version 0.9.8.1205 is not yet listed in the official CWP changelog, suggesting the release may have been issued quietly or that documentation has not been updated.

The flaw enables remote code execution if an attacker knows any valid non-root username, removing the need for privileged root access. The vulnerability has been assigned a CVSS v3.1 base score of 9.0, indicating critical severity.

A proof-of-concept (PoC) exploit, released on June 22, demonstrates unauthenticated remote code execution by exploiting unsanitized input in CWP's file manager module. The exploit operates via port 2083, which is used for secure HTTPS access to the CWP user interface, making publicly accessible deployments especially vulnerable.

Successful exploitation allows attackers to execute arbitrary system commands, establish reverse shells, and maintain persistent access.

Security researchers have validated the exploit’s effectiveness, and a Metasploit module is currently in development to automate the attack. This significantly lowers the barrier to entry and increases the risk of widespread exploitation.

Analyst insight

Organizations using CWP should apply the latest available updates and verify that their systems are running version 0.9.8.1205 or later. If patching is delayed, isolate the panel from public internet access and restrict access to trusted IP ranges. Monitoring for signs of compromise, such as unexpected outbound traffic or unauthorized user creation, may assist in early detection of exploitation.

Field Effect MDR clients would have already received an ARO alert identifying any CWP instances vulnerable to CVE-2025-48703, with remediation guidance.

Field Effect MDR continuously monitors for vulnerabilities like CVE-2025-48703 through advanced analytics, threat intelligence, and 24/7 visibility across endpoints, networks, and cloud environments. By correlating network traffic, endpoint behavior, and indicators of compromise, it detects and blocks exploit attempts—flagging anomalies such as malformed requests, suspicious outbound connections, or unauthorized privilege changes.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up