CISA Warns of CWP Vulnerability Exploited in the Wild

The cybersecurity agency CISA on Tuesday warned that a critical vulnerability affecting the Control Web Panel (CWP) server administration software has been exploited in the wild.

CWP, previously named CentOS Web Panel, is a free and widely used Linux web hosting control panel that is designed to simplify server management.

A vulnerability in CWP, tracked as CVE-2025-48703, allows remote, unauthenticated attackers to execute arbitrary commands on vulnerable systems. An attacker in possession of a valid non-root username can bypass authentication and execute commands using specially crafted requests.

The vulnerability was reported to CWP developers in mid-May and patched roughly one month later with the release of version 0.9.8.1205.

There do not appear to be any public reports describing attacks in which CVE-2025-48703 has been exploited.

Findsec warned a few months ago that exploitation of the vulnerability had been imminent. The company noted that exploitation could be automated and that threat actors had already started developing and sharing exploits on cybercrime forums.

According to Netlas.io, there are roughly 150,000 internet-exposed CWP instances that are potentially affected by CVE-2025-48703, a majority in the United States (37,510), followed by Germany, Japan, India, France, and Canada. Shodan shows more than 220,000 internet-exposed instances.

Given this widespread exposure, it’s highly likely that the vulnerability has been exploited in opportunistic attacks.

CISA added CVE-2025-48703 to its Known Exploited Vulnerabilities (KEV) catalog and instructed federal agencies to address it by November 25.

In-the-wild exploitation of a CWP vulnerability was previously reported in early 2023.

This article was published by Security Week. Please check their website for the original content.