Detect CVE-2025-48703 - CWP Control Web Panel OS Command Injection in Microsoft Sentinel
Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.
MITRE ATT&CK
KQL Detection Query
let cwp_processes = dynamic(['perl', 'python', 'python3', 'bash', 'sh', 'curl', 'wget', 'nc', 'ncat', 'socat']);
let cwp_web_paths = dynamic(['/usr/local/cwpsrv/', '/opt/cwp/', 'cwp_api', 'cwp-api']);
let suspicious_cmds = dynamic(['id', 'whoami', 'uname', 'cat /etc/passwd', 'cat /etc/shadow', 'chmod', 'chown', 'curl', 'wget', '/tmp/', '/dev/shm']);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(24h)
| where (ParentProcessName has_any ('httpd', 'apache2', 'nginx', 'cwpsrv', 'php-fpm', 'php')
and ProcessCommandLine has_any (suspicious_cmds))
or (ProcessCommandLine has_any (cwp_web_paths) and ProcessCommandLine has_any (suspicious_cmds))
| extend RiskScore = case(
ProcessCommandLine has_any (['cat /etc/shadow', 'chmod 777', '/dev/shm', 'base64']), 'Critical',
ProcessCommandLine has_any (['wget', 'curl', 'nc ', 'ncat']), 'High',
'Medium')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ParentProcessName, InitiatingProcessCommandLine, RiskScore
| order by TimeGenerated descDetects suspicious child processes spawned from CWP web server processes that are indicative of OS command injection exploitation. Focuses on web server parent processes executing shell utilities, data exfiltration tools, or file system manipulation commands.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate CWP administrative scripts executed by system administrators via the panel
- Automated maintenance tasks triggered through CWP cron or task scheduler
- Security scanning tools running against the CWP host from an authorized scanner
- Developer testing of CWP API endpoints in a non-production environment
Other platforms for CVE-2025-48703
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CWP Command Injection via API Parameter
Expected signal: Linux audit log EXECVE event showing 'id' executed by the web server user (www-data/apache/cwp); web access log entry with URL-encoded semicolon in query parameter
- Test 2Reverse Shell Establishment Post-CWP Exploitation
Expected signal: Process creation event for bash spawned by www-data user with -i flag and /dev/tcp redirect; outbound TCP connection to attacker IP on port 4444 from the CWP host
- Test 3Credential Harvesting via /etc/shadow Access
Expected signal: Audit log showing www-data user attempting to read /etc/shadow; base64 encoding command in process arguments; file access event on /etc/shadow
- Test 4Dropper Download via Injected wget Command
Expected signal: wget process spawned by www-data with external URL argument; outbound HTTP GET to attacker-controlled server; file creation event in /tmp by web service user; chmod execution on downloaded file
Unlock Pro Content
Get the full detection package for CVE-2025-48703 including response playbook, investigation guide, and atomic red team tests.