CVE-2025-48703 Elastic Security · Elastic

Detect CVE-2025-48703 - CWP Control Web Panel OS Command Injection in Elastic Security

Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=30s
  [process where event.type == "start"
    and process.parent.name : ("httpd", "apache2", "nginx", "cwpsrv", "php", "php-fpm")
    and process.name : ("bash", "sh", "dash", "perl", "python*", "ruby", "curl", "wget", "nc", "ncat", "socat")]
  [process where event.type == "start"
    and process.command_line : ("*id*", "*whoami*", "*passwd*", "*shadow*", "*/tmp/*", "*/dev/shm*", "*base64*", "*wget*", "*curl*")]
critical severity medium confidence

EQL sequence detecting a two-stage OS command injection pattern: web process spawning a shell interpreter followed by execution of reconnaissance or data exfiltration commands on the same host within 30 seconds.

Data Sources

Elastic Endpoint SecurityAuditbeatFilebeat

Required Tables

logs-endpoint.events.process-*auditbeat-*

False Positives & Tuning

  • Legitimate CWP server management operations executed through the web interface
  • System health check scripts triggered by the CWP monitoring subsystem
  • Authorized remote script execution via CWP terminal emulator feature
  • Third-party integrations that execute shell commands through the CWP API

Other platforms for CVE-2025-48703

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CWP Command Injection via API Parameter

    Expected signal: Linux audit log EXECVE event showing 'id' executed by the web server user (www-data/apache/cwp); web access log entry with URL-encoded semicolon in query parameter

  2. Test 2Reverse Shell Establishment Post-CWP Exploitation

    Expected signal: Process creation event for bash spawned by www-data user with -i flag and /dev/tcp redirect; outbound TCP connection to attacker IP on port 4444 from the CWP host

  3. Test 3Credential Harvesting via /etc/shadow Access

    Expected signal: Audit log showing www-data user attempting to read /etc/shadow; base64 encoding command in process arguments; file access event on /etc/shadow

  4. Test 4Dropper Download via Injected wget Command

    Expected signal: wget process spawned by www-data with external URL argument; outbound HTTP GET to attacker-controlled server; file creation event in /tmp by web service user; chmod execution on downloaded file

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-48703 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1003OS Credential DumpingT1133External Remote Services

Same Tactic: Execution

Popular Detections