CVE-2025-48703

CRITICAL 9.0

⚠️ CISA KEV

CVSS Score

9.0

EPSS Score

0.0%

EPSS Percentile

0th

CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

CWE	CWE-78
Vendor	centos-webpanel
Product	centos web panel
Published	Sep 19, 2025
Last Updated	Feb 26, 2026

⚠️ Actively Exploited — Act Now

Get instant alerts for centos-webpanel centos web panel

This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2025-48703.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

centos-webpanel / CentOS Web Panel

0 < 0.9.8.1205

References

NVD ↗ CVE.org ↗ EPSS Data ↗

fenrisk.com: https://fenrisk.com/rce-centos-webpanel cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48703 control-webpanel.com: https://control-webpanel.com/changelog