Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that both are being actively exploited in the wild by malicious actors. The flaws, CVE-2025-11371 in Gladinet products and CVE-2025-48703 in CWP (Control Web Panel), pose a significant risk to organizations. The Gladinet flaw allows external parties to access files and directories, while the CWP bug enables OS command injection. In accordance with Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the specified deadline. CISA strongly advises all public and private sector organizations to prioritize patching these flaws to mitigate their exposure to ongoing attacks.

Vulnerability Details

• CVE-2025-11371 - Gladinet CentreStack/Triofox: This vulnerability is categorized as "Files or Directories Accessible to External Parties." It allows an unauthorized attacker to access sensitive information stored on the affected systems, which could be leveraged for further attacks or lead to a data breach.

• CVE-2025-48703 - CWP (Control Web Panel): This is a critical OS command injection vulnerability. An attacker who successfully exploits this flaw can execute arbitrary commands on the underlying operating system with the privileges of the web server application. This could lead to a full system compromise, allowing the attacker to install malware, steal data, or pivot to other systems on the network.

Affected Systems

• Gladinet: CentreStack and Triofox products (specific versions should be confirmed with the vendor).
• CWP (Control Web Panel): Formerly CentOS Web Panel (specific versions should be confirmed with the vendor).

Exploitation Status

CISA has confirmed that both CVE-2025-11371 and CVE-2025-48703 are being actively exploited in the wild. The addition to the KEV catalog serves as an urgent notification to all organizations that these are not theoretical risks but are being used in current attacks. The specific threat actors or campaigns exploiting these vulnerabilities have not been disclosed by CISA.

Impact Assessment

Active exploitation of these vulnerabilities presents an immediate and severe risk. The OS command injection in CWP (CVE-2025-48703) is particularly dangerous, as it can provide an attacker with a direct foothold into a server, bypassing other security controls. This is a common vector for deploying web shells, crypto miners, or ransomware. The information disclosure flaw in Gladinet (CVE-2025-11371) can expose sensitive corporate data, user credentials, or configuration details that could facilitate more complex, targeted attacks.

Cyber Observables for Detection

Detection Methods

• Vulnerability Scanning: Regularly scan external-facing assets for the presence of CVE-2025-11371 and CVE-2025-48703 using a vulnerability management solution that has been updated with the latest checks.
• Log Analysis: Implement D3-NTA: Network Traffic Analysis by reviewing web server access logs for unusual requests containing shell metacharacters (e.g., |, ;, &&, $()) which are indicative of command injection attempts (T1059.004 - Command and Scripting Interpreter: Unix Shell).
• File Integrity Monitoring (FIM): For Gladinet systems, use FIM to monitor for unauthorized access to sensitive file paths and directories.
• Endpoint Detection and Response (EDR): Monitor for web server processes spawning unexpected child processes like shells or reconnaissance commands (e.g., whoami, id, uname).

Remediation Steps

• Prioritize Patching: This is the most critical action. Organizations must immediately apply the patches provided by Gladinet and CWP to remediate these vulnerabilities. Due to their KEV status, patching should be treated as an emergency action.
• Review BOD 22-01: Federal agencies must adhere to the remediation deadline set by CISA. All other organizations are strongly encouraged to use this deadline as a guide for their own patching timeline.
• Web Application Firewall (WAF): If patching is not immediately possible, deploy a WAF with rules designed to block OS command injection attempts as a temporary compensating control. This falls under D3-ITF: Inbound Traffic Filtering.
• Verify Remediation: After applying patches, run follow-up vulnerability scans to confirm that the vulnerabilities have been successfully remediated.