The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws affecting Gladinet and Control WebPanel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of real-world exploitation.
The vulnerabilities in question are as follows.
CVE-2025-11371 (CVSS Score: 7.5) – A vulnerability exists in an externally accessible file or directory in Gladinet CentreStack and Triofox that could lead to the unintentional disclosure of system files. CVE-2025-48703 (CVSS Score: 9.0) – Operating system command injection vulnerability in the Control Web Panel (formerly CentOS Web Panel) allows unauthenticated remote code execution via a shell metacharacter in the t_total parameter of a file manager changePerm request.
This development comes weeks after cybersecurity firm Huntress announced it had detected an active exploitation attempt targeting CVE-2025-11371, in which an unknown attacker is leveraging the flaw to execute reconnaissance commands (e.g. ipconfig /all) passed in the form of a Base64-encoded payload.
However, there are currently no published reports on how CVE-2025-48703 is being weaponized in real-world attacks. However, the technical details of this flaw were shared by security researcher Maxime Rinaudo in June 2025, shortly after it was patched with version 0.9.8.1205 following a responsible disclosure on May 13th.
“This allows a remote attacker who knows a valid username on a CWP instance to execute arbitrary pre-authenticated commands on the server,” Rinaudo said.
In view of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until November 25, 2025 to apply the necessary fixes to secure their networks.
The addition of the two flaws to the KEV catalog follows a report by Wordfence about the exploitation of a critical security vulnerability affecting three WordPress plugins and themes.
CVE-2025-11533 (CVSS Score: 9.8) – Privilege escalation vulnerability in WP Freeio allows an unauthenticated attacker to grant themselves administrative privileges by specifying a user role during registration. CVE-2025-5397 (CVSS Score: 9.8) – Authentication bypass vulnerability in Noo JobMonster allows unauthenticated attackers to bypass standard authentication and gain access to administrative user accounts, assuming social login is enabled on a site. CVE-2025-11833 (CVSS score: 9.8) – Missing authentication check in Post SMTP allows unauthenticated attackers to view email logs, including password reset emails, and change the passwords of arbitrary users, including administrators, and take over the site.
WordPress site users who rely on the aforementioned plugins and themes are encouraged to update to the latest versions as soon as possible, use strong passwords, and audit their sites for signs of malware or the presence of unexpected accounts.
Source link
