CVE-2025-48703 IBM QRadar · QRadar

Detect CVE-2025-48703 - CWP Control Web Panel OS Command Injection in IBM QRadar

Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
  sourceip,
  username,
  "hostname",
  "Process Name" as process_name,
  "Command" as command_line,
  CATEGORY
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux', 'Syslog', 'Apache HTTP Server')
  AND (
    ("Parent Process" ILIKE '%httpd%' OR "Parent Process" ILIKE '%cwpsrv%' OR "Parent Process" ILIKE '%php%' OR "Parent Process" ILIKE '%nginx%')
    AND ("Command" ILIKE '%id%' OR "Command" ILIKE '%whoami%' OR "Command" ILIKE '%/etc/passwd%' OR "Command" ILIKE '%/etc/shadow%'
         OR "Command" ILIKE '%wget%' OR "Command" ILIKE '%curl%' OR "Command" ILIKE '%/tmp/%' OR "Command" ILIKE '%base64%')
  )
  AND starttime > NOW() - 24 HOURS
ORDER BY starttime DESC
LIMIT 500
critical severity medium confidence

QRadar AQL query identifying OS command injection exploitation by correlating CWP web server parent processes with suspicious child command executions. Targets Linux audit and syslog sources on CWP hosts.

Data Sources

QRadar Linux DSMQRadar SyslogApache HTTP Server DSM

Required Tables

events

False Positives & Tuning

  • CWP administrative users executing legitimate shell commands via the panel terminal
  • Automated cron jobs or scripts running under the CWP web service account
  • Security tools performing authorized vulnerability scans on the CWP host
  • CWP system updates or plugin installations that invoke shell commands

Other platforms for CVE-2025-48703

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CWP Command Injection via API Parameter

    Expected signal: Linux audit log EXECVE event showing 'id' executed by the web server user (www-data/apache/cwp); web access log entry with URL-encoded semicolon in query parameter

  2. Test 2Reverse Shell Establishment Post-CWP Exploitation

    Expected signal: Process creation event for bash spawned by www-data user with -i flag and /dev/tcp redirect; outbound TCP connection to attacker IP on port 4444 from the CWP host

  3. Test 3Credential Harvesting via /etc/shadow Access

    Expected signal: Audit log showing www-data user attempting to read /etc/shadow; base64 encoding command in process arguments; file access event on /etc/shadow

  4. Test 4Dropper Download via Injected wget Command

    Expected signal: wget process spawned by www-data with external URL argument; outbound HTTP GET to attacker-controlled server; file creation event in /tmp by web service user; chmod execution on downloaded file

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-48703 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1003OS Credential DumpingT1133External Remote Services

Same Tactic: Execution

Popular Detections