CISA Adds Gladinet and Control Web Panel Flaws to KEV Catalog as Active Exploitation Persists

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities — one in Gladinet’s CentreStack/Triofox and a critical command‑injection bug in Control Web Panel (CWP) — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation and ordering rapid remediation by government agencies.

Immediate threat: two CVEs and a tight deadline

CISA’s action brings fresh urgency to incidents that security firms have been tracking for weeks. The vulnerabilities are:

• CVE-2025-11371 (CVSS 7.5): a files-or-directories-exposed weakness affecting Gladinet CentreStack and Triofox that can lead to unintended disclosure of system files (CWE-552).
• CVE-2025-48703 (CVSS 9.0): an operating system command injection flaw in Control Web Panel (formerly CentOS Web Panel) allowing pre‑authentication remote command execution via shell metacharacters in the t_total parameter of a filemanager changePerm request (CWE-78).

Federal Civilian Executive Branch (FCEB) agencies must apply fixes or mitigations by November 25, 2025, under CISA’s KEV requirements. The shortened remediation window reflects the agency’s assessment of active exploitation and the potential for rapid compromise.

For official information on the KEV catalog and the agency’s guidance, see the CISA Known Exploited Vulnerabilities catalog: CISA KEV catalog.

What investigators have observed

Security firms report differing levels of observed activity.

• Huntress detected active exploitation attempts against CVE-2025-11371, noting attackers delivered Base64‑encoded payloads that ran reconnaissance commands such as ipconfig /all.
• Technical details for CVE-2025-48703 were published by researcher Maxime Rinaudo in June 2025 after responsible disclosure; a patch was released in CWP version 0.9.8.1205 following the report. Rinaudo warned the flaw "allows a remote attacker who knows a valid username on a CWP instance to execute pre‑authenticated arbitrary commands on the server."

While some advisories emphasize that a valid non‑root username is needed to exploit the CWP flaw, researchers and incident responders caution that usernames are often easy to enumerate, and that requirement offers little practical protection in many environments.

Technical risk and likely impact

Security teams describe the Gladinet issue as an access control failure that exposes sensitive files and configuration data to external parties — a condition that can enable data theft, credential discovery, or further lateral movement. The CWP flaw is more immediately severe: OS command injection on server management software can yield full server compromise, data exfiltration, and pivoting to other hosts.

Given the high CVSS score (9.0) for the CWP issue and public exploit details, defenders should assume high risk for internet‑reachable installations of the web panel.

Recommended actions for organizations

CISA and security vendors recommend the following steps as priority actions:

• Apply vendor patches immediately. For CWP, upgrade to the patched release (0.9.8.1205 or later) where available.
• If patching is not immediately possible, isolate and restrict network access to management interfaces (use firewalls, VPNs, or allowlists).
• Inventory and scan infrastructure to find all deployments of Gladinet CentreStack, Triofox, and Control Web Panel.
• Review access and audit logs for suspicious activity or indicators of compromise, including unusual file reads or commands and spikes in base64‑encoded payloads.
• Rotate credentials and audit accounts, especially if exposed files could contain secrets.
• For high‑risk or unpatchable systems, consider taking services offline or migrating to alternative solutions until mitigations are in place.

CISA’s KEV listing imposes mandatory timelines for federal agencies; private organizations are strongly urged to treat the vulnerabilities with the same urgency.

Broader context: part of a wave of active web‑facing exploits

The KEV additions come as researchers and vendors report multiple high‑severity vulnerabilities being actively targeted across platforms, including several critical WordPress plugin flaws recently called out by Wordfence. The pattern underscores that internet‑exposed management panels and file‑sharing platforms remain attractive targets for both reconnaissance and rapid compromise.

What defenders should watch for next

• Increased exploitation attempts as scanning and exploit tooling proliferate now that details and patches are public.
• Follow‑on intrusions where attackers use exposed configuration files or credentials to escalate access.
• Reports from hosting providers and managed service providers about compromised client servers.

Bottom line

CISA’s KEV additions signal a real, near‑term danger for organizations using Gladinet CentreStack, Triofox or Control Web Panel. Immediate patching, access restriction, and active hunting for signs of compromise are the prudent responses. Agencies and enterprises alike should treat this advisory as high priority and act within the timelines CISA has set.