CISA Adds Gladinet CentreStack and CWP Control Web Panel Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities—CVE-2025-11371 in Gladinet CentreStack/Triofox and CVE-2025-48703 in Control Web Panel (CWP)—to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. CVE-2025-11371 is a local file inclusion flaw in Gladinet CentreStack and Triofox that allows unauthenticated access to system files, with reports from Huntress indicating that threat actors have already targeted at least three organizations by running reconnaissance commands via Base64-encoded payloads. CVE-2025-48703 is an unauthenticated remote code execution vulnerability in CWP, exploitable via shell metacharacters in the t_total parameter of a filemanager request, though there are currently no public reports of this flaw being weaponized in real-world attacks.
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by November 25, 2025, to mitigate these risks. Both Gladinet and Huntress have issued alerts and recommended workarounds for the actively exploited CentreStack/Triofox vulnerability, such as disabling the temp handler in the UploadDownloadProxy’s web configuration. The addition of these vulnerabilities to the KEV catalog underscores the urgency for organizations using these platforms to implement security updates and monitor for signs of exploitation, especially as technical details for the CWP flaw have been publicly disclosed, increasing the risk of future attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to patch by November 25
Following the KEV additions, CISA required Federal Civilian Executive Branch agencies to remediate CVE-2025-11371 and CVE-2025-48703 by November 25, 2025, under Binding Operational Directive 22-01. The deadline was set because both flaws were being exploited in the wild.
Wordfence reports exploitation of three critical WordPress plugin flaws
Wordfence reported active exploitation of CVE-2025-11533, CVE-2025-5397, and CVE-2025-11833 affecting WordPress plugins. The vulnerabilities can enable privilege escalation, authentication bypass, and site takeover, and users were urged to update and audit their sites.
CISA adds CVE-2025-11371 and CVE-2025-48703 to the KEV catalog
On November 5, 2025, CISA added the Gladinet CentreStack/Triofox file disclosure flaw CVE-2025-11371 and the Control Web Panel RCE flaw CVE-2025-48703 to its Known Exploited Vulnerabilities catalog. The agency cited evidence of active exploitation.
Active exploitation observed for Gladinet and CWP vulnerabilities
Evidence emerged that unknown threat actors were actively exploiting CVE-2025-11371 in Gladinet CentreStack and Triofox for reconnaissance and CVE-2025-48703 in Control Web Panel in attacks. These exploitation reports prompted urgent patching recommendations.
Technical details and PoC for CVE-2025-48703 are published
Security researchers, including Maxime Rinaudo, disclosed technical details and proof-of-concept exploit information for CVE-2025-48703. The public disclosure enabled exploit development and sharing on hacking forums.
CWP releases version 0.9.8.1205 fixing CVE-2025-48703
Control Web Panel released version 0.9.8.1205 in June 2025, and versions before it are affected by CVE-2025-48703. The flaw is an unauthenticated OS command injection issue that can lead to remote code execution if an attacker can guess a valid non-root username.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence
thehackernews.com
Open sourceU.S. CISA adds Gladinet CentreStack, and CWP Control Web Panel flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA warns of critical CentOS Web Panel bug exploited in attacks
bleepingcomputer.com
Open sourceCritical Control Web Panel vulnerability is actively exploited (CVE-2025-48703)
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Alerts on Active Exploitation of Gladinet and CWP Vulnerabilities
CISA has issued an alert regarding the active exploitation of two critical vulnerabilities: a local file inclusion/remote code execution (LFI/RCE) flaw in *Gladinet CentreStack* and *Triofox* (CVE-2025-11371), and an OS command injection vulnerability in *Control Web Panel* (CWP) (CVE-2025-48703). Both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of in-the-wild attacks, and are considered significant risks for organizations, especially those in the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are mandated by Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified due date to protect against ongoing threats. CISA strongly recommends that all organizations, not just federal agencies, prioritize patching these vulnerabilities as part of their vulnerability management practices to reduce exposure to cyberattacks leveraging these flaws.
Mar 21, 2026
CISA Adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox Vulnerabilities to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three newly identified vulnerabilities: an out-of-bounds write in WatchGuard Firebox OS (`CVE-2025-9242`), a race condition in the Microsoft Windows kernel (`CVE-2025-62215`), and improper access control in Gladinet Triofox (`CVE-2025-12480`). These vulnerabilities have been added due to evidence of active exploitation, with risks ranging from remote code execution on network appliances to privilege escalation on Windows systems and unauthorized access to sensitive setup functions in Triofox. CISA emphasizes the critical nature of these flaws and urges immediate patching and mitigation to prevent exploitation. Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified deadlines, but CISA also strongly recommends that all organizations prioritize addressing these issues as part of their vulnerability management programs. The addition of these CVEs to the KEV Catalog highlights their significance as attack vectors and the ongoing threat they pose to both government and private sector networks. Organizations should verify their exposure and apply all relevant security updates without delay.
Mar 21, 2026
CISA Adds Apple WebKit and Gladinet CentreStack Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-43529, a use-after-free vulnerability in Apple’s WebKit engine affecting multiple Apple products, and CVE-2025-14611, a hard-coded cryptographic vulnerability in Gladinet CentreStack and Triofox. These vulnerabilities have been identified as significant risks due to evidence of active exploitation, prompting CISA to require Federal Civilian Executive Branch agencies to remediate them by specified deadlines under Binding Operational Directive 22-01. CISA also strongly encourages all organizations, not just federal agencies, to prioritize remediation of these vulnerabilities to reduce exposure to cyberattacks. Recent reports indicate that the Apple WebKit vulnerability (CVE-2025-43529) has been exploited in highly targeted attacks, likely involving nation-state actors and commercial spyware vendors, with a focus on high-value individuals. Apple and Google both released urgent security updates in response to these attacks, though details remain limited. The WebKit flaw allows attackers to trigger memory corruption through specially crafted web content, potentially leading to arbitrary code execution. The Gladinet CentreStack and Triofox vulnerability involves hard-coded cryptographic keys, which could be leveraged by attackers to compromise affected systems. Organizations are urged to apply available patches and follow CISA’s guidance to mitigate these threats.
Mar 21, 2026