[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

I’m reporting a critical security issue affecting multiple servers running CWP (CentOS Web Panel). During a security review on a Laravel-based website hosted via CWP, I found malicious PHP files in the public/ folder that allowed arbitrary code execution.

🛑 What I Found

On my server, inside /home/username/public_html/public/ and /home/username/public_html/, I found two suspicious files:
   •   nbpafebaef.jpg – Contains PHP code despite the .jpg extension:
<?php echo md5("gewafwaef1");die;?>

   •   defauit.php – A PHP script with a misleading name (looks like “default.php”).

These files execute when accessed via a browser. This confirms that PHP is being executed from the public folder, even if disguised with a .jpg extension.

🔍 Widespread Issue – Other Sites Also Affected

After further investigation, I found that other unrelated websites also running CWP have the exact same malicious files in the same locations:
   •   https://basaranturizm.com/
   •   https://coutos.pt/

This strongly suggests a systemic vulnerability, likely related to how CWP manages public folders or file permissions. These sites are not connected to me — I simply found them through Google search using the filename.

❗ Possible Vectors

Some possibilities include:
   •   Insecure permissions on public/ allowing PHP file uploads or writes
   •   Compromise via CWP File Manager or outdated software
   •   Global vulnerability in CWP’s file handling or directory security

⚠️ Request to CWP Team

Please investigate this urgently. It’s very likely that:
   •   CWP has a flaw allowing code execution in public folders
   •   Default permissions or services are enabling attackers to inject files across multiple servers

If CWP developers need any of the samples or log details, I’m happy to provide them privately.

Are you running malware detection scans on your system?

https://basaranturizm.com indeed serves up examples of these trojan files -- oddly that's all the domain serves and it allows file listing, so something is not normal about it. Looks to be PayPal scam related. Perhaps it is even a source domain for the files to be retrieved from. I located some of those files on a backup of a CentOS 7 system VM running Apache. One CentOS 7 system I have in legacy mode is clean -- but it runs Nginx, not Apache. Two newer AlmaLinux servers I have are clean. So my suspicion is that there is a weakness in the default Apache config on CWP or a problem with CentOS 7 systems -- all the more reason to get off of EL7 and get to an EL8 or EL9 foundation.

Scary but is it true?
What system does CWP run on?
Please provide the CWP version you are using?
Apache version?
PHP version for the CWP panel?
What web server?
Modsecirutes enabled? If so, in what version?
Roundcube in what version?
I am not affiliated with the creators of CWP, I just want to compare it with my installation. There could be many attack vectors.

My server have AlmaLinux 8, everything was updated and in the last version I have more servers only one was affected.
But all client accounts on the server have the same 2 files.
In the logs I found this
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:38 +0100] "POST /user1/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:39 +0100] "POST /user2/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:40 +0100] "POST /user3/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:41 +0100] "POST /user4/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:41 +0100] "POST /user5/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"
/usr/local/cwpsrv/logs/access_log:127.0.0.1 - - [04/Jul/2025:16:50:42 +0100] "POST /user6/index.php?module=filemanager&acc=findFiles HTTP/1.0" 302 16 "-" "python-requests/2.18.4"

This is at the same time that defauit.php was created the nbpafebaef.jpg was created some days after.

On root /tmp folder I found to suspect files:
/tmp/.auto_monitor and /tmp/.tmp_baf

.auto_monitor was the file tht have the code to duplicate the .tmp_baf on each account and rename it to efauit.php

Actually, it looks to be a Thai porno/romance portal -- the PayPal payment script is probably to reel in payments.
https://www.nongwangkudrung.go.th/video/
(not going to make this a clickable link)

Well, I figured the bug out. It is bad. Quite bad. Lock down your file manager is all I can say publicly for obvious reasons.
But yeah, you can upload arbitrary files to any CWP user as long as you know (or can guess) their username.

Just registered on here after testing this on my own CWP installation out of curiosity (and wanting to make sure my servers are secure).

Does anyone know a security contact at CWP I could poke? Just using their "contact us" form as well, I suppose.

Since I realized I can't edit my own posts and I forgot better instructions.

You want to delete /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php (or rename it to like filemanager.php.disabled, make sure it no longer has .php extension at the end)

Thanks for that.

I'm wondering (maybe it sounds stupid) but if a malware can elevate their permissions to "root" level, then file uploads would be the least of my concern?

Else how can the malware read, write, or execute anything on this file if it is under 644 root ownership?

Again it might sound stupid. Newbie here.

You’re absolutely right to be concerned — and I believe we may be dealing with two distinct but related security issues.

Issue 1: File Manager Vulnerability (Confirmed)
As already pointed out, the filemanager.php module in CWP seems to allow arbitrary file upload to any user account, as long as the attacker can guess the username. This is a critical flaw in access control and should be treated as a top-priority zero-day vulnerability.

This alone explains how attackers managed to inject malicious files like defauit.php or nbpafebaef.jpg across multiple accounts.

➡️ Temporary mitigation: Disable or rename the file:
/usr/local/cwpsrv/var/services/user_files/modules/filemanager.php
I’ve renamed it to filemanager.php.disabled to block access while waiting for an official fix.

 Issue 2: Lateral File Injection via /tmp (Needs confirmation)
What’s particularly concerning is that on my server, all user accounts had identical malicious files — including accounts with no websites or activity.
I found two suspicious scripts in /tmp/:
   •   /tmp/.auto_monitor: Contains code to iterate over all user accounts and drop malicious files
   •   /tmp/.tmp_baf: A payload later renamed per user as defauit.php

The auto_monitor script appears to loop through /home/*/public_html/ and replicate the payload across accounts.

Now, here’s the key problem:
Even if filemanager.php was used to inject a file into one account, it doesn’t explain how the malware was then able to write to other accounts — unless:
   1.   The injected script gained elevated privileges or exploited a weak configuration
   2.   Some CWP service or cron is running PHP scripts from /tmp under a shared or root context
   3.   There’s a misconfigured global process that allows cross-account write access from within user space

This part needs deeper analysis. But the implications are very serious:
Even a single compromised account could lead to full lateral infection.

New update this security issue is already public on https://fenrisk.com/rce-centos-webpanel and https://cybersecuritynews.com/linux-centos-web-panel-vulnerability/, with code CVE-2025-48703.
This articles tell that this is already fixed on 0.9.8.1205 but Im on 0.9.8.1206 and I have the problem.

Please we need some update from someone on the CWP Team

So according to the 2 vulnerability reports you mentioned, it's limited to EOL CentOS 7 systems -- for which support ended over a year ago. Not too surprising, really. The longer those systems are on the internet, the more of sitting ducks they become. Time to migrate to AlmaLinux!

Can you confirm that you both are running CentOS 7 systems?

Caught one probe for this vuln on one of my Alma systems, coming from Hong Kong:

Code: [Select]

[root@alma]# grep "module=filemanager" /usr/local/cwpsrv/logs/access_log
91.124.30.69 - - [08/Jul/2025:04:50:00 -0500] "POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1" 404 147 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 14.7; rv:134.0) Gecko/20100101 Firefox/134.0"