A severe vulnerability has been discovered in Control Web Panel (CWP), a hosting management tool widely used on Linux servers. The flaw, tracked as CVE-2025-48703, affects the software’s file management API and allows attackers to execute arbitrary commands through command injection.

Exploitation requires knowledge of a valid username, but attackers can bypass authentication and run system commands remotely. This makes the vulnerability highly dangerous for exposed systems.

The issue has been rated Critical with a CVSS v3.1 base score of 9.1, according to MITRE’s vulnerability database. A proof of concept (PoC) is already available, increasing the risk of exploitation in the wild.

The flaw was reported on May 13, 2025, and fixed in CWP version 0.9.8.1205, released on June 18, 2025. Administrators are strongly urged to update immediately to the patched version to secure their systems.

For further details, refer to the official CWP update page and the NVD entry for CVE-2025-48703.

Share this post

Author

Editorial Team
Editorial Team
The Editorial Team at Security Land is comprised of experienced professionals dedicated to delivering insightful analysis, breaking news, and expert perspectives on the ever-evolving threat landscape

Comments