Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-11371 (CVSS score: 7.5) - A vulnerability in files or directories accessible to
Analysis Summary
This summary focuses only on the vulnerabilities explicitly detailed for Gladinet and Control Web Panel (CWP) mentioned by CISA for inclusion in the KEV catalog. The WordPress vulnerabilities detailed later in the article are omitted as they pertain to different products.
# Vulnerability: Gladinet File Disclosure (CVE-2025-11371)
## CVE Details
- CVE ID: CVE-2025-11371
- CVSS Score: 7.5 (High)
- CWE: (Not explicitly stated, but implied to be related to Improper Access Control/Information Exposure)
## Affected Systems
- Products: Gladinet CentreStack and Triofox
- Versions: Not specified in the provided text.
- Configurations: Vulnerable in files or directories accessible to external parties.
## Vulnerability Description
A vulnerability exists in files or directories accessible to external parties within Gladinet CentreStack and Triofox, which could lead to the unintended disclosure of system files.
## Exploitation
- Status: Exploited in the wild (CISA KEV catalog inclusion, confirmed by Huntress observation)
- Complexity: Low (Implied, as threat actors were able to leverage it)
- Attack Vector: Network (Leveraged to run commands)
## Impact
- Confidentiality: High (Unintended disclosure of system files, threat actors observed running reconnaissance commands like `ipconfig /all`)
- Integrity: Undetermined/Potential
- Availability: Undetermined/Potential
## Remediation
### Patches
- Information on specific patches for CVE-2025-11371 was not provided in the article.
### Workarounds
- No specific workarounds were provided for this vulnerability in the summary. Mitigation should focus on restricting external access to sensitive directories/files.
## Detection
- Indicators of Compromise: Evidence includes threat actors leveraging the flaw to run reconnaissance commands (e.g., `ipconfig /all`) passed in a Base64-encoded payload.
- Detection methods and tools: Network monitoring for suspicious requests leading to file access or execution of reconnaissance commands.
## References
- Vendor Advisories: Not specified.
- Relevant Links:
- [cisa-gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog](https://www.cisa.gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog)
- [thehackernews-com/2025/10/from-lfi-to-rce-active-exploitation-targeting](https://thehackernews-com/2025/10/from-lfi-to-rce-active-exploitation-targeting)
***
# Vulnerability: Control Web Panel Command Injection (CVE-2025-48703)
## CVE Details
- CVE ID: CVE-2025-48703
- CVSS Score: 9.0 (Critical)
- CWE: Command Injection
## Affected Systems
- Products: Control Web Panel (formerly CentOS Web Panel - CWP)
- Versions: Any version prior to 0.9.8.1205.
- Configurations: Requires a valid username on the CWP instance.
## Vulnerability Description
An operating system command injection vulnerability exists in Control Web Panel (CWP) within the filemanager changePerm request, specifically utilizing shell metacharacters in the `t_total` parameter. This flaw allows an *unauthenticated* remote attacker (who knows a valid username) to execute arbitrary system commands on the server.
## Exploitation
- Status: Active exploitation evidence is currently *not* publicly reported, but CISA has added it to KEV based on potential severity and disclosure.
- Complexity: Low (Researcher Maxime Rinaudo noted it allows pre-authenticated arbitrary command execution).
- Attack Vector: Network
## Impact
- Confidentiality: High (Arbitrary command execution)
- Integrity: High (Arbitrary command execution)
- Availability: High (Arbitrary command execution)
## Remediation
### Patches
- Patch available in Control Web Panel version **0.9.8.1205** (Patched following disclosure on May 13, 2025).
### Workarounds
- No specific workarounds were provided in the article. Immediate patching is advised. FCEB agencies are mandated to apply fixes by November 25, 2025.
## Detection
- Indicators of Compromise: Not specified, as active weaponization is not publicly reported.
- Detection methods and tools: Monitoring HTTP requests to CWP endpoints, specifically looking for non-standard characters or shell metaphors in the `t_total` parameter of filemanager changePerm requests.
## References
- Vendor Advisories: Disclosure led to patch in v0.9.8.1205.
- Relevant Links:
- [cisa-gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog](https://www.cisa.gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalog)
- [fenrisk-com/rce-centos-webpanel](https://fenrisk-com/rce-centos-webpanel)