[CRITICAL] Multiple CWP Servers Infected – Arbitrary PHP Code Execution via Publ

I'm not sure if the File Manager issue is resolved with the update because my server was recently hacked. Or it was hacked a while ago, but the hacker only acted now, because it only affected traffic to the sites I have on the VPS two weeks ago, and it only affected the .htaccess file since October 17th.
I've been closely monitoring the VPS since the 18th, and apparently nothing strange has happened again. However, I warn you that WordPress websites, in particular, have contaminated files. That is, in addition to new files, they also modify WordPress system files, and the only solution is deleting and restoring a backup.
Also, on WordPress websites, users appeared in the database that were not visible in the WordPress user manager. You need to remove them via PHPMyAdmin.
The hacker modified the robots.txt and .htaccess files to direct traffic to an online store.
I recommend everyone try a Google search for "site:yourdomain.tld" to check for abnormal results or redirects.

I recommend restoring backups of everything in the public_html folder because if any file is infected, the malicious files will reappear.

I'm not sure if the File Manager issue is resolved with the update

https://fenrisk.com/rce-centos-webpanel

Conclusion
This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server.

The vulnerability has been patched on latest version 0.9.8.1205 during June 2025.

Timeline
13/05/2025: First contact with CWP.
23/05/2025: CVE-2025-48703 assigned.
18/06/2025: Patch available on version 0.9.8.1205.

I'm not sure if the File Manager issue is resolved with the update because my server was recently hacked. Or it was hacked a while ago, but the hacker only acted now, because it only affected traffic to the sites I have on the VPS two weeks ago, and it only affected the .htaccess file since October 17th.
I've been closely monitoring the VPS since the 18th, and apparently nothing strange has happened again. However, I warn you that WordPress websites, in particular, have contaminated files. That is, in addition to new files, they also modify WordPress system files, and the only solution is deleting and restoring a backup.
Also, on WordPress websites, users appeared in the database that were not visible in the WordPress user manager. You need to remove them via PHPMyAdmin.
The hacker modified the robots.txt and .htaccess files to direct traffic to an online store.
I recommend everyone try a Google search for "site:yourdomain.tld" to check for abnormal results or redirects.

I recommend restoring backups of everything in the public_html folder because if any file is infected, the malicious files will reappear.

Configure your vhosts (or add an .htaccess configuration to your websites).

If you don't need, disable these php functions:
Command execution: exec, system, passthru, shell_exec, proc_open, popen, pcntl_exec
File and folder permissions: chmod, chown, chgrp
Date time manipulation of files: touch
Code evaluation: eval, create_function, assert

Make sure that in your php.ini you have this configuration:
allow_url_include = Off

Then change your file permissions so no one can change the content. Only allow file changes in uploaded folders and don't allow then to execute files.

At the moment, your vulnerabilities are just within PHP.

.htaccess modified
index.php sometimes modified
defauit.php added
about.php added
nbpafebaef.jpg added
0vuFDw.php 0hmIaF.php 0soCeG.php like files created
radio.php added
content.php added
lock360.php added
admin.php added
Admin role Users added to DB

Be careful!.

There are more files, follow the topic to find out more about it.
Some of your files are not present on my server. Probably previous attack?

Yes, the latter files are from other PHP injection attacks with web shells. I've observed those over the years on various servers and panels -- not specific to CWP or the currently discussed CVE (which is patched).

This wave of malware was nasty.

Maldetect  / CalmAv failed big time.

I would find the issues (wordpress sites) fix the directories permissions and delete hijacked files.

MU plugin folder was constantly being populated with *php 

Following the instructions here and all over the web (LOL) I finally beat it.

The plugin Wordfence is bloated for daily use on each and every site but I did in stall it on the two sites I was having the hardest time taming and it did find the last few (4-5) files that I missed. I should have installed it sooner. In any event it found the last few suspicious files and I manually nuked them, then uninstalled it.

Even CWPpro version: 0.9.8.1218  version still 3/Nov/2025:13:12:40 +0400] "POST /uploads/leads/1/index.php? working for hack. I enable all security tools. But still not luck.

My wordpress wibsites also infeted. And other websites non worpress also. Replaced index.php, added  licelic.c" backup.c defauit.php. I found admin accounts in database WP-user wpadmin@volovmart.ru. I dont know how its happened. But i think it is Panel hacked because it is not effect  only WordPress CMS. Im using CWP pro.

Hello,

We're encountering the same situation on one of our servers.
While we're actively performing cleanup operations, the critical question remains: Has this vulnerability truly been resolved by the "silent patch"?

Do you have any informations about when end what version of the patch/update ?

Best regards,

I have the same problem. My VPS are infected.
Im using CWPpro version: 0.9.8.1218 and Rocky Linux release 9.5
After the intrusion i have problems with SEO, google results display titles from other sources.
My websites traffic has plummeted in the last few days because of this change. When I type site:mysomain.tld into Google, I see that the results point to my websites, but the text is different.
Does anyone else have this problem? Do you know how to fix it? How did you manage to change it? I've already submitted sitemaps to Google Search Console, but I'm not sure if it will work.

First thing to do is renaming /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php as /usr/local/cwpsrv/var/services/user_files/modules/filemanager.php.disabled

Then follow the messages sent by @pedromidiasf and me at page 5 to page 7. You will see the names of the malicious files dropped by attackers.

What exploiters are capable of is equal to filemanager at the start and this might not seem worrying. But then they take full advantage of PHP so if they want to remove whole of your files, they can and they can redirect your visitors to other websites.

If I was the one whos using this exploit I could convert this to a DDoS tool by redirecting every visitor to the website that I want to cause DoS. So, there is no limit, they can do anything they want and every IT admin should take this seriously.

Hi friend im still fighting for fix it. Disabling filemanager temporarily solution. My sites traffic growing. I deleted all infected files. Enabled Mo sec rules. Scanned all wordpress websites with wordfence.  But still upload available over POST i see in logi every 2 days/ My index files on my webpages replacing to hacker files. I found folders  with permission 777   in my server. Sadly CWP havent reinstall or uninstall solution for such as case for fix hacked files.

CWP 0.9.8.1218 has this original bug fixed for a long time with the File Manager.

What you posted in a WordPress path.

Simple fix, don't use WordPress, or use a security plugin.

Also secure you PHP.ini under disable_functions =

If your not sure how to secure a server or clean one after an attack, you might want to think about hiring a sys admin.