The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two significant vulnerabilities impacting Gladinet CentreStack/Triofox and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. CVE-2025-11371 is a vulnerability in Gladinet products that exposes files or directories accessible to external parties, potentially leading to unintended disclosure of sensitive system files. Huntress security researchers observed threat actors exploiting this flaw by sending Base64-encoded payloads to execute reconnaissance commands such as 'ipconfig /all', indicating active reconnaissance and potential preparation for further attacks. This vulnerability has a CVSS score of 7.5, reflecting its high impact on confidentiality. CVE-2025-48703 is a critical operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel). It allows unauthenticated remote attackers to execute arbitrary commands on the server by injecting shell metacharacters into the 't_total' parameter of a filemanager 'changePerm' request. This vulnerability was responsibly disclosed and patched in version 0.9.8.1205, but no public exploitation reports exist yet. However, the flaw's nature—unauthenticated remote code execution—makes it extremely dangerous, with a CVSS score of 9.0. The vulnerability enables attackers who know a valid username to execute commands without authentication, posing a severe risk to affected systems. The addition of these vulnerabilities to the KEV catalog mandates Federal Civilian Executive Branch agencies to remediate by November 25, 2025. The vulnerabilities affect web-facing software commonly used for file sharing and web hosting management, increasing the attack surface. The active exploitation of CVE-2025-11371 and the potential for rapid exploitation of CVE-2025-48703 necessitate urgent attention. The report also references other high-severity WordPress plugin vulnerabilities, underscoring a broader trend of web application exploitation. The technical details highlight the exploitation methods, including command injection via shell metacharacters and reconnaissance commands encoded in Base64, emphasizing the sophistication of threat actors. Organizations using Gladinet or CWP should prioritize patching, monitor for anomalous command execution, and restrict access to management interfaces to mitigate risks.

European organizations using Gladinet CentreStack, Triofox, or Control Web Panel face significant risks from these vulnerabilities. CVE-2025-11371 can lead to unauthorized disclosure of sensitive system files, potentially exposing configuration data, credentials, or other critical information that could facilitate further attacks. The active exploitation of this flaw indicates attackers are already targeting affected systems, increasing the likelihood of data breaches or lateral movement within networks. CVE-2025-48703 presents an even more severe threat as it allows unauthenticated remote code execution, enabling attackers to fully compromise affected servers, deploy malware, exfiltrate data, or disrupt services. This could result in loss of confidentiality, integrity, and availability of critical systems. For European organizations, the impact includes potential regulatory consequences under GDPR due to data breaches, operational disruptions, reputational damage, and financial losses. The vulnerabilities affect web-facing applications, which are often exposed to the internet, increasing the attack surface. Additionally, the presence of these flaws in widely used management panels and file-sharing solutions means that sectors such as government, healthcare, finance, and critical infrastructure could be targeted. The requirement for federal agencies to patch by a specific deadline underscores the urgency and severity of these threats. Failure to remediate promptly could lead to widespread exploitation campaigns targeting European entities, especially those with similar software deployments or supply chain connections.

1. Immediate patching: Organizations must apply the latest security patches for Gladinet CentreStack, Triofox, and Control Web Panel (CWP) to remediate CVE-2025-11371 and CVE-2025-48703. For CWP, ensure version 0.9.8.1205 or later is deployed. 2. Access restriction: Limit access to management interfaces and file-sharing portals to trusted IP addresses or VPNs to reduce exposure to unauthenticated attacks. 3. Network segmentation: Isolate affected systems from critical network segments to contain potential breaches and limit lateral movement. 4. Monitoring and detection: Implement enhanced logging and monitoring for suspicious activities, such as unusual command executions, Base64-encoded payloads, or unexpected file access patterns. 5. Credential management: Enforce strong authentication mechanisms and regularly audit user accounts to prevent unauthorized access, especially since CWP requires only a valid username for exploitation. 6. Incident response readiness: Prepare for potential incidents by developing and testing response plans specific to web application compromises and remote code execution scenarios. 7. Vendor communication: Stay updated with vendor advisories and security bulletins for any additional patches or mitigation guidance. 8. Web application firewall (WAF): Deploy or update WAF rules to detect and block exploitation attempts targeting these vulnerabilities, particularly command injection payloads. 9. User education: Train administrators on secure configuration and the risks associated with exposed management interfaces. 10. Backup and recovery: Maintain secure, tested backups of critical systems to enable rapid recovery in case of compromise.