# CVE-2025-48703 Vulnerability and Implemented Security Measures
Hello CWP Community,
We recently became aware of a security vulnerability identified as **CVE-2025-48703**, affecting the file manager module in CWP. You can find more details on [GitHub](
https://github.com/trh4ckn0n/CVE-2025-48703). To help the community, I’d like to share the steps we took to secure our server (running CentOS 8.5.2111 with CWP).
## Implemented Security Measures
1. **Blocking File Manager Access**
The vulnerability involves the file manager module. To mitigate this, we added the following `.htaccess` rules to all users’ `public_html` directories:
```apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} module=filemanager&acc=findFiles [NC]
RewriteRule ^ - [F,L]
</IfModule>
```
We applied these rules across all relevant user directories.
2. **Firewall Blocking for Suspicious Access**
We blocked suspicious IP addresses using the firewall:
```bash
firewall-cmd --permanent --add-source=<suspicious-ip> --zone=block
firewall-cmd --reload
```
3. **Fixing User Permissions**
To correct file and directory permissions, we used CWP’s permission repair script:
```bash
/usr/local/cwpsrv/htdocs/resources/scripts/fixperms <username>
```
4. **CWP Update**
We updated CWP to the latest version:
```bash
/usr/local/cwpsrv/htdocs/resources/scripts/update_cwp
```
5. **Malware Scanning**
We performed scans to detect malicious files:
```bash
/usr/local/cwpsrv/htdocs/resources/scripts/maldet_scan
rkhunter --check
```
6. **PHP File Monitoring System**
For our high-traffic server, we developed a script to monitor newly created `.php` files. The script recursively monitors user directories, skips session files (e.g., `sess_*`), and sends hourly email notifications for detected `.php` files. It uses `inotify-tools` and is compatible with CentOS 8. If you’d like the script details, please let me know!
## Additional Recommendations
- **Email Notifications**: We use Postfix for email notifications. If you encounter email issues, check the Postfix logs:
```bash
tail -n 50 /var/log/maillog
```
Alternatively, you can configure Gmail SMTP:
```bash
dnf install -y cyrus-sasl-plain
nano ~/.mailrc
```
Contents:
```
set from="your-email@gmail.com"
set smtp=smtp.gmail.com:587
set smtp-auth-user=your-email@gmail.com
set smtp-auth-password=your-app-specific-password
set smtp-auth=login
set ssl-verify=ignore
```
- **inotify Limits**: For recursive monitoring on high-traffic servers, we increased `inotify` limits:
```bash
echo 524288 | sudo tee /proc/sys/fs/inotify/max_user_watches
sudo sysctl -p
```
These measures have secured our server and enabled us to monitor new `.php` files effectively. If you’ve encountered CVE-2025-48703 or implemented additional measures, please share your experiences. Community feedback is invaluable!
Thank you,
Mr Green