CVE-2025-48703

CRITICAL KEV NUCLEI

Control Web Panel < 0.9.8.1205 filemanager - Unauthenticated Command Execution

Title source: manual
STIX 2.1

Exploitation Summary

CVE-2025-48703 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 4, 2025. EIP tracks 4 public exploits from researchers including Skynoxk, ftz7, itstarsec. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2025-48703, demonstrating RCE in cPanel File Manager via unsanitized input in the 't_total' parameter. It includes a scanner script to detect vulnerable targets and a curl-based PoC for command execution.

Description

CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

Exploits (4)

nomisec WORKING POC 3 stars
by Skynoxk · remote
https://github.com/Skynoxk/CVE-2025-48703

The repository contains a functional exploit PoC for CVE-2025-48703, demonstrating RCE in cPanel File Manager via unsanitized input in the 't_total' parameter. It includes a scanner script to detect vulnerable targets and a curl-based PoC for command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: cPanel File Manager (CentOS Web Panel)
Auth required
Prerequisites: Valid cPanel user credentials · Access to the target's File Manager module
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ftz7 · poc
https://github.com/ftz7/PoC-CVE-2025-48703

The repository contains a functional Python script that exploits CVE-2025-48703, a command injection vulnerability in the `filemanager` module of cPanel. The exploit sends a crafted POST request to execute arbitrary commands via the `t_total` parameter.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: cPanel (CentOS Web Panel)
Auth required
Prerequisites: Valid credentials (e.g., 'admin') · Access to the target's admin interface on port 2083
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by itstarsec · remote
https://github.com/itstarsec/CVE-2025-48703

The repository lacks actual exploit code and only provides a Shodan query for target discovery. The description is vague and does not include technical details about the vulnerability or exploit mechanism.

Classification
Suspicious 80%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: CentOS Web Panel (CWP) versions up to 0.9.8.1204
No auth needed
Prerequisites: targets running vulnerable CWP versions
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/137f/PoC-CVE-2025-48703

The repository contains a functional Python exploit for CVE-2025-48703, targeting a command injection vulnerability in the 'filemanager' module of cPanel via the 't_total' parameter. The exploit sends a crafted POST request to execute arbitrary commands (e.g., 'id') and includes a scanner for bulk target testing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: cPanel (CentOS Web Panel)
Auth required
Prerequisites: valid admin username · access to target IP/port
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

CWP (Control Web Panel) < 0.9.8.1205 - Remote Code Execution
CRITICALby theamanrawat
Shodan: Server: cwpsrv

References (3)

Core 3

Scores

CVSS v3 9.0
EPSS 0.6985
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-11-04
VulnCheck KEV 2025-08-15
ENISA EUVD EUVD-2025-30324
CWE
CWE-78
Status published
Products (1)
control-webpanel/webpanel < 0.9.8.1205
Published Sep 19, 2025
KEV Added Nov 04, 2025
Tracked Since Feb 18, 2026