Writer: Jordan Sprogis
Editor: Lillian Castro
Reviewer: Cristian Lopez
Key Takeaways
CentOS Web Panel (CWP) is currently facing a vulnerability that allows attackers to gain remote access to more than 200,000 servers without a login or authentication required.
As of Wednesday, June 25, the vulnerability, titled CVE-2025-48703, affects CWP instances on servers running CentOS Web Panel versions 0.9.8.1204 and 0.9.8.1188. Any hosts running CWP should update immediately to version 0.9.8.1205.
Surprisingly, it’s not a botnet or AI; it’s good, old-fashioned hacking.
The latest updates show the exploit works through port 2083 — which is used for secure access to the CWP user interface over HTTPS — and has been proven to allow remote code execution (RCE). Additionally, a Metasploit module is already being developed to automate the attack.
This isn’t the first time anyone is hearing about this vulnerability.
A patch was released in June 2025 (version 0.9.8.1205); even so, the risk is that many users don’t opt for automated updates and, therefore, may not even know their panel is exposed.
What’s Happening
Security researchers have confirmed the exploit works reliably and are already developing tools to automate it. A Metasploit module is also in progress, which would make it easy to launch mass attacks against exposed servers.
Here’s how it works: Attackers can bypass the login page and execute any command on the server via the file manager without a username or password (but require knowing a valid non-root username). From there, they inject code so the server connects back to them remotely.
| Field | Details |
| CVE ID | CVE-2025-48703 |
| Component | CentOS Web Panel (CWS) |
| Affected Versions | 0.9.8.1188, 0.9.8.1204 (CentOS 7) |
| Patched Version | 0.9.8.1205 (released June 2025) |
| Vulnerability Type | Remote Command Injection (RCE) |
| Access Requirements | Unauthenticated, but requires a valid non-root username |
| Attack Vector | Port 2083 (HTTPS access to CWP panel) |
| Exploit Status | Public PoC released; Metasploit module in development |
| Impact | Arbitrary command execution, potential privilege escalation |
| Exposure Scope | An estimated 200,000+ exposed CWP instances globally |
| Mitigation | Update to 0.9.8.1205+, audit logs, restrict port access, notify customers |
No public confirmation of full takeovers have been issued yet — but history suggests that everything is lined up for a mass breach.
In 2022, the Zimbra Collaboration Suite suffered a similar RCE chain (CVE‑2022‑27925, which led to CVE‑2022‑37042), during which a public exploit allowed attackers to scan and compromise more than 1,000 unpatched servers within days across government sectors.
What Hosts Should Do Right Now
Hosts who have CWP installed should:
- Update immediately to version 0.9.8.1205
- Check for any unusual network activity or unauthorized file changes
- Monitor port 2083 closely
- Alert affected customers, especially those managing their own panels
Since CWP is a free alternative to popular solutions like cPanel and Plesk, it’s most commonly used by budget hosting providers, freelancers, and VPS resellers.
Unfortunately, lower-cost options are often the least secured. It’s as Richard Bird, CSO at Traceable, recently told HostingAdvice:
“This is a dynamic that I thought I would never see in my working career: Companies are making a conscious choice to be less secure for the sake of cost containment,” said Bird. “But it’s like I always say, the bad guys have none of those issues.”
Several hosts, including AccuWebHosting, Touchstone Solutions, and MicroHost, may be affected.
11:30 AM EST: This is a developing story. Some information may be updated or corrected.
