CISA KEV Alert: Two Critical Flaws Under Active Exploitation, Including Gladinet LFI/RCE and CWP Admin Takeover

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities—CVE-2025-11371 in Gladinet CentreStack and Triofox, and CVE-2025-48703 in Control Web Panel (CWP)—to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation in the wild.

The first vulnerability, CVE-2025-11371 (CVSS 7.5), impacts Gladinet CentreStack and Triofox, enterprise file-sharing platforms designed for hybrid cloud environments. In the software’s default installation and configuration, a Local File Inclusion (LFI) flaw allows unauthenticated attackers to access sensitive system files, including configuration data.

Security firm Huntress first reported active exploitation last month, warning that attackers were retrieving the Web.config file, extracting the machine key, and chaining it with a known ViewState deserialization exploit to achieve remote code execution (RCE).

The exploitation chain proceeds as follows:

Stage 1 – Local File Inclusion: Threat actors exploit the LFI vulnerability to read arbitrary files from the system.

Stage 2 – Key Extraction: They retrieve the machineKey embedded in the application’s configuration file.

Stage 3 – Payload Serialization: Using the key, attackers craft valid ViewState payloads to bypass authentication.

Stage 4 – Remote Code Execution: The malicious ViewState payload executes arbitrary commands on the server under application privileges.

This multi-stage attack underscores the danger of insecure defaults in enterprise web applications—particularly when cryptographic keys and deserialization mechanisms are exposed to unauthenticated users.

The second actively exploited flaw, CVE-2025-48703 (CVSS 9.0), affects CWP (Control Web Panel), formerly known as CentOS Web Panel, a popular web hosting control platform.

The issue arises from improper authentication checks combined with an unsanitized input parameter, resulting in unauthenticated remote command execution.

CWP before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known.

Attackers begin by bypassing authentication in the CWP interface—typically hosted on port 2083—by sending crafted HTTP POST requests directly to the file management endpoint.

Once authentication is bypassed, adversaries inject shell commands via the t_total parameter, originally intended to define numeric file permissions (e.g., 644). Because this input is not sanitized, arbitrary shell metacharacters are interpreted by the backend—allowing attackers to execute commands on the underlying operating system with the privileges of the user context.

This results in full command execution with the privileges of the user context—typically enough to establish a reverse shell or exfiltrate sensitive files.

The vulnerability was responsibly disclosed on May 13, 2025, and patched in version 0.9.8.1205 released in June.

CISA warned that these flaws “pose significant risks to the federal enterprise,” and ordered all Federal Civilian Executive Branch (FCEB) agencies to patch affected systems by November 25, 2025, to mitigate ongoing attacks.

Related Posts:

• Pre-Auth Command Execution in CentOS Web Panel Exposes Over 200,000 Servers, PoC Publishes
• Exploited Zero-Day: Gladinet/Triofox Flaw CVE-2025-11371 Allows RCE via LFI
• Critical Vulnerabilities: CISA Alerts to Windows CLFS and Gladinet CentreStack Threats
• CVE-2023-42121: Critical Control Web Panel RCE Vulnerability
• Critical WooCommerce Plugin Flaw (CVE-2025-12493, CVSS 9.8) Allows Unauthenticated RCE, 100,000+ Sites Affect