CISA Adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox Vulnerabilities to KEV Catalog
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three newly identified vulnerabilities: an out-of-bounds write in WatchGuard Firebox OS (CVE-2025-9242), a race condition in the Microsoft Windows kernel (CVE-2025-62215), and improper access control in Gladinet Triofox (CVE-2025-12480). These vulnerabilities have been added due to evidence of active exploitation, with risks ranging from remote code execution on network appliances to privilege escalation on Windows systems and unauthorized access to sensitive setup functions in Triofox. CISA emphasizes the critical nature of these flaws and urges immediate patching and mitigation to prevent exploitation.
Federal Civilian Executive Branch (FCEB) agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified deadlines, but CISA also strongly recommends that all organizations prioritize addressing these issues as part of their vulnerability management programs. The addition of these CVEs to the KEV Catalog highlights their significance as attack vectors and the ongoing threat they pose to both government and private sector networks. Organizations should verify their exposure and apply all relevant security updates without delay.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CISA adds three actively exploited flaws to KEV catalog
CISA added CVE-2025-9242 in WatchGuard Firebox, CVE-2025-12480 in Gladinet Triofox, and CVE-2025-62215 in Microsoft Windows to its Known Exploited Vulnerabilities catalog, citing active exploitation and significant risk. The update triggered remediation requirements for U.S. federal civilian agencies under BOD 22-01 and broader patching recommendations for all organizations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CISA KEV Catalog Update November 2025
thecyberthrone.in
Open sourceU.S. CISA adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds Three Known Exploited Vulnerabilities to Catalog
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Alerts on Active Exploitation of Gladinet and CWP Vulnerabilities
CISA has issued an alert regarding the active exploitation of two critical vulnerabilities: a local file inclusion/remote code execution (LFI/RCE) flaw in *Gladinet CentreStack* and *Triofox* (CVE-2025-11371), and an OS command injection vulnerability in *Control Web Panel* (CWP) (CVE-2025-48703). Both vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalog following evidence of in-the-wild attacks, and are considered significant risks for organizations, especially those in the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are mandated by Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by the specified due date to protect against ongoing threats. CISA strongly recommends that all organizations, not just federal agencies, prioritize patching these vulnerabilities as part of their vulnerability management practices to reduce exposure to cyberattacks leveraging these flaws.
Mar 21, 2026
CISA Adds Gladinet CentreStack and CWP Control Web Panel Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities—CVE-2025-11371 in Gladinet CentreStack/Triofox and CVE-2025-48703 in Control Web Panel (CWP)—to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. CVE-2025-11371 is a local file inclusion flaw in Gladinet CentreStack and Triofox that allows unauthenticated access to system files, with reports from Huntress indicating that threat actors have already targeted at least three organizations by running reconnaissance commands via Base64-encoded payloads. CVE-2025-48703 is an unauthenticated remote code execution vulnerability in CWP, exploitable via shell metacharacters in the `t_total` parameter of a filemanager request, though there are currently no public reports of this flaw being weaponized in real-world attacks. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by November 25, 2025, to mitigate these risks. Both Gladinet and Huntress have issued alerts and recommended workarounds for the actively exploited CentreStack/Triofox vulnerability, such as disabling the temp handler in the UploadDownloadProxy’s web configuration. The addition of these vulnerabilities to the KEV catalog underscores the urgency for organizations using these platforms to implement security updates and monitor for signs of exploitation, especially as technical details for the CWP flaw have been publicly disclosed, increasing the risk of future attacks.
Mar 21, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
Mar 26, 2026