The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerabilities in question are listed below –
- CVE-2025-11371 (CVSS score: 7.5) – A vulnerability in files or directories accessible to external parties in Gladinet CentreStack and Triofox that could result in unintended disclosure of system files.
- CVE-2025-48703 (CVSS score: 9.0) – An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) that results in unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request.
The development comes weeks after cybersecurity company Huntress said it detected active exploitation attempts targeting CVE-2025-11371, with unknown threat actors leveraging the flaw to run reconnaissance commands (e.g., ipconfig /all) passed in the form of a Base64-encoded payload.
However, there are currently no public reports on how CVE-2025-48703 is being weaponized in real-world attacks. However, technical details of the flaw were shared by security researcher Maxime Rinaudo in June 2025, shortly after it was patched in version 0.9.8.1205 following responsible disclosure on May 13.
“It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server,” Rinaudo said.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks.
The addition of the two flaws to the KEV catalog follows reports from Wordfence about the exploitation of critical security vulnerabilities impacting three WordPress plugins and themes –
- CVE-2025-11533 (CVSS score: 9.8) – A privilege escalation vulnerability in WP Freeio that makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying a user role during registration.
- CVE-2025-5397 (CVSS score: 9.8) – An authentication bypass vulnerability in Noo JobMonster that makes it possible for unauthenticated attackers to sidestep standard authentication and access administrative user accounts, assuming social login is enabled on a site.
- CVE-2025-11833 (CVSS score: 9.8) – A lack of authorization checks in Post SMTP that makes it possible for an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, allowing site takeover.
WordPress site users relying on the aforementioned plugins and themes are recommended to update them to the latest version as soon as possible, use strong passwords, and audit the sites for signs of malware or the presence of unexpected accounts.
