CVE-2025-48703 CrowdStrike LogScale · LogScale

Detect CVE-2025-48703 - CWP Control Web Panel OS Command Injection in CrowdStrike LogScale

Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
DeviceProcessEvents
| filter event_platform = "Lin"
| filter (
    ParentBaseFileName in ("httpd", "apache2", "nginx", "cwpsrv", "php", "php-fpm")
    and (
      FileName in ("bash", "sh", "dash", "perl", "python3", "python", "curl", "wget", "nc", "ncat", "socat")
      or CommandLine matches regex "(?i)(id\b|whoami|/etc/passwd|/etc/shadow|/tmp/[^\s]+|/dev/shm|base64|chmod\s+[0-9]|chown\s)"
    )
  )
| eval RiskLevel = case(
    CommandLine matches regex "(?i)(/etc/shadow|/dev/shm|base64 -d|reverse shell)", "Critical",
    CommandLine matches regex "(?i)(wget|curl|nc |ncat|socat)", "High",
    1=1, "Medium")
| select timestamp, DeviceHostName, UserName, ParentBaseFileName, FileName, CommandLine, RiskLevel
| sort timestamp desc
| limit 500
critical severity medium confidence

CrowdStrike Falcon NG-SIEM query for Linux endpoints detecting CWP web server parent processes spawning suspicious child processes or executing commands associated with OS command injection post-exploitation.

Data Sources

CrowdStrike Falcon Endpoint ProtectionCrowdStrike Insight

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Authorized CWP administrative shell access via the built-in terminal feature
  • CWP module installations that execute shell scripts during setup
  • Legitimate system administration performed through the CWP interface by verified staff
  • Automated CWP backup jobs executing under the web server process context

Other platforms for CVE-2025-48703

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CWP Command Injection via API Parameter

    Expected signal: Linux audit log EXECVE event showing 'id' executed by the web server user (www-data/apache/cwp); web access log entry with URL-encoded semicolon in query parameter

  2. Test 2Reverse Shell Establishment Post-CWP Exploitation

    Expected signal: Process creation event for bash spawned by www-data user with -i flag and /dev/tcp redirect; outbound TCP connection to attacker IP on port 4444 from the CWP host

  3. Test 3Credential Harvesting via /etc/shadow Access

    Expected signal: Audit log showing www-data user attempting to read /etc/shadow; base64 encoding command in process arguments; file access event on /etc/shadow

  4. Test 4Dropper Download via Injected wget Command

    Expected signal: wget process spawned by www-data with external URL argument; outbound HTTP GET to attacker-controlled server; file creation event in /tmp by web service user; chmod execution on downloaded file

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-48703 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1003OS Credential DumpingT1133External Remote Services

Same Tactic: Execution

Popular Detections