CISA Warns of Active Exploitation of Control Web Panel OS Command Injection Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a severe vulnerability in Control Web Panel (CWP), formerly known as CentOS Web Panel.

The flaw allows unauthenticated attackers to execute remote code on vulnerable systems, posing significant risks to organizations running web hosting control panels.

Understanding the Vulnerability

The vulnerability exists as an OS command injection flaw in CWP’s file manager functionality.

Attackers can exploit this weakness by sending specially crafted requests containing shell metacharacters through the t_total parameter in a filemanager changePerm request.

What makes this vulnerability particularly dangerous is that it requires no authentication to exploit, meaning any attacker on the internet can potentially gain control over affected systems.

However, attackers do need to know a valid non-root username on the target system to successfully launch an attack.

The vulnerability stems from inadequate input validation and sanitization of user-supplied data.

When the application processes the t_total parameter without properly filtering special characters, attackers can inject operating system commands that the server will execute with the privileges of the web application.

This direct path to remote code execution (RCE) makes it one of the most critical types of security flaws.

CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on November 4, 2025, and has set a remediation deadline of November 25, 2025.

This 21-day window gives organizations time to apply patches and security measures.

The agency emphasizes that this vulnerability is being actively exploited in the wild, though current information does not indicate widespread use in ransomware campaigns; this could change rapidly.

Organizations using Control Web Panel should immediately take action to protect their systems.

CISA recommends three primary approaches: first, apply all security patches and mitigations provided by the CWP vendor as soon as they become available.

Second, follow applicable guidance from Binding Operational Directive 22-01, which addresses cloud service security requirements.

Third, if no mitigations are available from the vendor, organizations should consider discontinuing use of the product and migrating to alternative web hosting control panel solutions.

While waiting for official patches, administrators should restrict network access to the Control Web Panel interface through firewall rules, limiting connections to trusted IP addresses only.

Implementing Web Application Firewalls (WAF) to detect and block suspicious requests containing command injection payloads can provide temporary protection.

Additionally, monitoring system logs for unusual command execution or suspicious activity related to the file manager functionality is essential.

This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), which encompasses various command injection flaws across different software platforms.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today