Critical Vulnerability in Control-WebPanel [CWP] File manager

A critical vulnerability has been discovered in CentOS Web Panel (CWP) — specifically within the file manager module — that allows unauthenticated file uploads, arbitrary code execution, and cross-account infections. Even servers running the latest version (0.9.8.1206) and modern OS like AlmaLinux 8 are confirmed to be affected.

This flaw is being actively exploited in the wild.

If you are running CWP, you are likely vulnerable.

🧬 What Is the Issue?

The CWP File Manager module can be abused by attackers to:

Upload malicious PHP files (even disguised as .jpg)
Execute shell commands as any CWP user
Laterally infect other accounts on the same server
Exploit weak file permission configurations and /tmp folder usage

The core of the vulnerability is an authentication bypass combined with command injection in the File Manager.

🧪 Signs You Might Be Infected

Look for Suspicious Files:

Check the following folders for malicious scripts:

/home/*/public_html/
├── defauit.php (note the typo)
└── nbpafebaef.jpg (contains PHP code)

Sample malicious content (within a .jpg file!):

<?php echo md5(“gewafwaef1”); die; ?>

Review Logs:

Check CWP’s Apache access logs for suspicious POST requests:

grep “module=filemanager” /usr/local/cwpsrv/logs/access_log

Look for patterns like:

127.0.0.1 – – [04/Jul/2025:16:50:38 +0100] “POST /user1/index.php?module=filemanager&acc=findFiles HTTP/1.0” 302 16 “-” “python-requests/2.18.4”

Suspicious files found in /tmp:

/tmp/.auto_monitor → Script that spreads malware
/tmp/.tmp_baf → Payload used to create `defauit.php`

🔧 How to Mitigate (Temporary Fix)

Until CWP provides a proper security patch, disable the File Manager module immediately:

mv /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php \
/usr/local/cwpsrv/var/services/user_files/modules/filemanager.php.disabled

✅ This blocks unauthorized uploads while preserving the rest of the panel’s functionality.

🔍 Understanding the Exploit

How it works:

Attacker guesses a valid CWP user (e.g. from /home/ folder names).
Uses the File Manager module to upload arbitrary PHP files.
Executes the uploaded script (e.g. defauit.php) remotely.
Script then loops through other user accounts, deploying malware via /tmp.

What it does NOT do (yet):

No confirmed root compromise.
Doesn’t affect the root user directly.
Doesn’t bypass ModSecurity (if properly configured).

🧯 How to Clean Infected Servers

Scan all user accounts:

find /home/*/public_html/ -type f \( -name “defauit.php” -o -name “*.jpg” \) -exec grep -l ‘<?php’ {} \;

Delete malicious scripts:

rm -f /home/*/public_html/defauit.php
rm -f /home/*/public_html/public/nbpafebaef.jpg

Check and clean /tmp folder:

rm -f /tmp/.auto_monitor
rm -f /tmp/.tmp_baf

Scan all logs and set up file integrity monitoring.
Change all user passwords and review cron jobs.

💡 Long-Term Advice

Migrate away from CWP if possible.
If staying:
- Restrict access to CWP admin and user panels with firewalls.
- Isolate users via cagefs or similar.
- Monitor file integrity (e.g., AIDE, rkhunter, or chkrootkit).
Switch to NGINX or hardened Apache configs.
Consider using paid panels with verified support and security programs (e.g. DirectAdmin, Plesk).

📌 Final Words

The CVE-2025-48703 exploit is a wake-up call for web hosting providers still relying on free control panels like CWP without active security subscriptions. As this is an unauthenticated file upload and command execution vulnerability, it poses critical risk to every website hosted on your server.

Patch, disable, migrate — but don’t ignore this.

📣 Stay tuned to blog.cheap-web-hosting.org for more updates on CWP vulnerabilities, security practices, and server hardening guides.

If you’ve been affected, share your story or mitigation steps in the comments to help others in the community.

🔁 Share this with your fellow sysadmins — especially those managing CWP servers!