CWP Servers Facing Active Exploit Allowing Remote Takeover Without a Password

Writer: Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

Editor: Lillian Castro

Lillian Castro, Senior Editor

Lillian Castro brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

Reviewer: Cristian Lopez

Cristian Lopez, News Manager

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.
Follow Us:
2.7k
1k

CentOS Web Panel (CWP) is currently facing a vulnerability that allows attackers to gain remote access to more than 200,000 servers without a login or authentication required.

As of Wednesday, June 25, the vulnerability, titled CVE-2025-48703, affects CWP instances on servers running CentOS Web Panel versions 0.9.8.1204 and 0.9.8.1188. Any hosts running CWP should update immediately to version 0.9.8.1205.

Surprisingly, it’s not a botnet or AI; it’s good, old-fashioned hacking.

The latest updates show the exploit works through port 2083 — which is used for secure access to the CWP user interface over HTTPS — and has been proven to allow remote code execution (RCE). Additionally, a Metasploit module is already being developed to automate the attack.

This isn’t the first time anyone is hearing about this vulnerability.

A patch was released in June 2025 (version 0.9.8.1205); even so, the risk is that many users don’t opt for automated updates and, therefore, may not even know their panel is exposed.

What’s Happening

Security researchers have confirmed the exploit works reliably and are already developing tools to automate it. A Metasploit module is also in progress, which would make it easy to launch mass attacks against exposed servers.

Here’s how it works: Attackers can bypass the login page and execute any command on the server via the file manager without a username or password (but require knowing a valid non-root username). From there, they inject code so the server connects back to them remotely.

FieldDetails
CVE IDCVE-2025-48703
ComponentCentOS Web Panel (CWS)
Affected Versions0.9.8.1188, 0.9.8.1204 (CentOS 7)
Patched Version0.9.8.1205 (released June 2025)
Vulnerability TypeRemote Command Injection (RCE)
Access RequirementsUnauthenticated, but requires a valid non-root username
Attack VectorPort 2083 (HTTPS access to CWP panel)
Exploit StatusPublic PoC released; Metasploit module in development
ImpactArbitrary command execution, potential privilege escalation
Exposure ScopeAn estimated 200,000+ exposed CWP instances globally
MitigationUpdate to 0.9.8.1205+, audit logs, restrict port access, notify customers
Vulnerability Summary: CVE-2025-48703

No public confirmation of full takeovers have been issued yet — but history suggests that everything is lined up for a mass breach.

In 2022, the Zimbra Collaboration Suite suffered a similar RCE chain (CVE‑2022‑27925, which led to CVE‑2022‑37042), during which a public exploit allowed attackers to scan and compromise more than 1,000 unpatched servers within days across government sectors.

What Hosts Should Do Right Now

Hosts who have CWP installed should:

Since CWP is a free alternative to popular solutions like cPanel and Plesk, it’s most commonly used by budget hosting providers, freelancers, and VPS resellers.

Unfortunately, lower-cost options are often the least secured. It’s as Richard Bird, CSO at Traceable, recently told HostingAdvice:

“This is a dynamic that I thought I would never see in my working career: Companies are making a conscious choice to be less secure for the sake of cost containment,” said Bird. “But it’s like I always say, the bad guys have none of those issues.”

Several hosts, including AccuWebHosting, Touchstone Solutions, and MicroHost, may be affected.

11:30 AM EST: This is a developing story. Some information may be updated or corrected.

About the Author

Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

« BACK TO: BLOG

Meet the Experts

Our team of experts with a combined 50+ years of experience in web hosting serve insight and advice to more than 20 million users!

We Know Hosting

$

4

8

,

2

8

3

spent annually on web hosting!