CISA Expands KEV with Two Active Exploits: Gladinet LFI and CWP Command Injection

  • Thread Author
CISA has quietly expanded its Known Exploited Vulnerabilities (KEV) Catalog again, adding two actively exploited flaws that demand immediate attention from system owners and defenders: an unauthenticated local file inclusion in Gladinet CentreStack and Triofox tracked as CVE-2025-11371, and an OS command‑injection vulnerability in CWP (Control Web Panel) tracked as CVE-2025-48703. These entries were added because threat actors have been observed weaponizing the bugs in real-world attacks, and their inclusion in the KEV Catalog triggers accelerated remediation expectations for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22‑01 while providing a de-facto priority signal for the private sector.

Background​

CISA’s Known Exploited Vulnerabilities (KEV) Catalog is a living, evidence-driven list of Common Vulnerabilities and Exposures (CVEs) that have been observed in active exploitation campaigns. When CISA places a CVE on KEV under BOD 22‑01, federal civilian agencies must remediate or implement compensating controls within prescribed timeframes; private organizations are strongly advised to treat those entries as urgent remediation priorities as well. This policy mechanism turns threat intelligence into operational deadlines and is intended to reduce the window of exposure for widely exploited weaknesses. The two newest additions epitomize common and highly effective attacker patterns: unauthenticated file‑disclosure pathways that lead to credential or key theft and chained remote code execution, and web‑application parameter handling that allows crafted input to execute operating‑system commands. Both patterns are repeatedly leveraged in initial-access campaigns, post‑compromise persistence, and ransomware intrusions—making rapid detection and remediation critical.

CVE-2025-11371 — Gladinet CentreStack & Triofox: Local File Inclusion (LFI)​

What it is and why it matters​

CVE-2025-11371 is described as an unauthenticated Local File Inclusion (LFI) vulnerability in default installations of Gladinet CentreStack and Triofox. The bug allows remote, unauthenticated actors to request and retrieve arbitrary server files through a vulnerable upload/download proxy or temp handler, including configuration files such as Web.config that can contain sensitive cryptographic machine keys. Exposure of those keys can then enable attackers to craft forged ViewState or serialized payloads to pivot to remote code execution (RCE) when combined with other product weaknesses. The reason this LFI is particularly dangerous is the chaining potential. On its own, reading configuration files yields sensitive secrets and reconnaissance. When paired with serialization-related or crypto/key mismanagement bugs in the same product, those secrets can be used to bypass integrity checks and escalate an information disclosure into full system compromise. Multiple vendor and researcher writeups indicate this vulnerability has been observed being exploited in the wild—making its KEV listing operationally urgent.

Affected products and versions​

Public vulnerability records indicate the issue impacts default configurations of Gladinet CentreStack and Triofox through affected versions identified in disclosures (for example, all CentreStack/Triofox versions up to the vendor-supplied patch level listed in advisories). Operators should assume any unpatched CentreStack or Triofox instance that has internet-accessible web endpoints or exposed management interfaces is at risk until explicitly verified otherwise.

Evidence of exploitation and vendor response​

Security vendor Huntress and sector ISAC advisories reported active exploitation beginning in late September and early October, with at least a handful of confirmed victims described in industry posts. Vendor acknowledgement has been reported, but public evidence suggests a patch was not universally available immediately upon initial disclosure—leading many researchers to recommend mitigations such as isolating public access and hardening configuration while waiting for vendor-supplied fixes. Because exploitation is active and practical mitigations are sometimes imperfect, CISA’s KEV addition formalizes the urgency.

Practical mitigations and detection tips​

  • Immediate actions (short term)
  • Remove or restrict internet exposure to CentreStack/Triofox management and web endpoints using firewall rules, IP allow lists, or reverse-proxy ACLs.
  • Review web.config and other configuration files for machine keys, rotate keys where feasible, and apply vendor guidance for key management.
  • Apply any vendor-provided mitigations (temporary configuration changes) and monitor vendor advisories for an official patch.
  • Detection and hunting
  • Look for anomalous HTTP requests targeting upload/download endpoints, unusual file‑download patterns, or high‑volume requests for Web.config or other configuration files.
  • Inspect logs for unusual ViewState or serialized payloads and spikes in requests to endpoints commonly used for file operations.
  • Hunt for post‑exploit indicators such as unexpected process creation on application hosts or outbound connections to previously unseen command-and-control domains.
  • Long term
  • Patch to vendor-fixed versions as soon as they are verified and tested.
  • Harden default configurations and avoid hard-coded cryptographic keys or predictable config artifacts.
  • Implement web application firewalls (WAFs) tuned to block LFI-style path traversal and suspicious file-read requests.
These steps reduce the window of exposure and limit the usefulness of the information disclosure, buy time for full patching, and improve detection coverage.

CVE-2025-48703 — CWP (Control Web Panel): OS Command Injection​

Nature of the vulnerability​

CVE-2025-48703 is an OS command‑injection vulnerability in Control Web Panel (CWP, also known as CentOS Web Panel). According to vulnerability records, a specially crafted parameter—typically the t_total parameter used in a filemanager changePerm request—can carry shell metacharacters or arguments that are not properly neutralized, enabling attackers to execute arbitrary OS commands on the server. Exploitation may require knowledge of a valid non‑root username but can be performed remotely and has been observed in real‑world abuse. Command‑injection vulnerabilities are highly prized by attackers because they often yield immediate code execution at the privilege level of the application—frequently enough to drop web shells, execute additional payloads, or pivot to other systems. When present on hosting control panels or web‑hosting management layers, the blast radius includes every site or tenant managed by the panel.

Impact and scope​

  • A vulnerable, internet‑facing CWP instance can be escalated to a launchpad for compromise across hosted websites and services.
  • Because web panels often manage multiple virtual hosts, one server-level compromise frequently leads to multiple customer or tenant breaches.
  • Historical evidence shows that control-panel RCEs have been weaponized for mass web compromise, cryptomining, and initial access for ransomware operations.
CISA’s KEV listing reflects evidence that adversaries are actively scanning for and exploiting this particular parameter handling bug—meaning the risk is both real and timely.

Recommended mitigations and detection​

  • Patch or upgrade
  • Immediately upgrade CWP to the vendor-released fixed version if available; if a fixed release is not yet posted, apply vendor-approved workarounds.
  • Limit exposure
  • Block or restrict access to CWP’s management ports and web interface (restrict by IP, use VPN-only admin access).
  • Harden and monitor
  • Implement WAF rules to normalize and block unusual parameter values that include shell metacharacters or suspect encodings.
  • Monitor process creation and command execution logs for untrusted user contexts and unusual binaries.
  • Incident response
  • If exploitation is suspected, isolate affected hosts quickly, preserve logs, and perform full forensic triage to identify scope and persistence.
These practical steps reduce risk immediately and align with BOD 22‑01-style urgency when attackers are actively exploiting the issue.

What CISA’s KEV addition means operationally (BOD 22‑01 obligations)​

The KEV Catalog is not merely advisory for federal civilian agencies: under BOD 22‑01, FCEB agencies must remediate cataloged CVEs by the due dates set by CISA. These deadlines are typically accelerated when exploitation evidence is recent. Even though BOD 22‑01 legally binds federal agencies, the operational reality is that private-sector enterprises should treat KEV inclusions as urgent remediation priorities—attackers do not distinguish between government and corporate targets. CISA’s entries effectively convert observed exploitation into operational triage orders. For enterprises managing hybrid environments, the KEV designation should trigger these concrete operational steps:
  • Inventory: Identify any assets running the affected products (CentreStack, Triofox, CWP) in production, staging, and test environments.
  • Prioritize: Classify internet‑facing instances and production tenants as highest priority for mitigation and patching.
  • Contain: Apply network segmentation, ACLs, and temporary compensating controls to remove public exposure.
  • Patch: Deploy vendor fixes after appropriate testing and verification, or apply vendor mitigation guidance if patches are unavailable.
  • Hunt & Remediate: Run detection hunts and incident response if signs of compromise are present; rotate keys and secrets if disclosure is suspected.
This is not theoretical: the KEV mechanism exists to compress the timeline between exploitation discovery and remediation action. Agencies that do not meet BOD deadlines are expected to document mitigation decisions and risk acceptance, but the security best practice for all organizations is to eliminate the vulnerable state as quickly as possible.

Risk analysis: strengths, weaknesses, and likely attacker behavior​

Notable strengths of CISA’s KEV process​

  • Operational clarity: KEV reduces triage noise by flagging only CVEs with evidence of exploitation—helping teams prioritize finite patching resources.
  • Policy leverage: BOD 22‑01 ties the KEV list to enforceable timelines for federal networks, improving accountability and reducing windows of exposure to active threats.
  • Public signal: KEV listings alert private sector defenders to active campaigns and increase the odds of coordinated mitigation across critical infrastructure providers.

Potential risks and limitations​

  • Vendor patch lag: KEV may contain vulnerabilities that are actively exploited before vendors release fixes; defenders must rely on mitigations until patches arrive. The Gladinet case illustrates this danger—active exploitation was reported while comprehensive patches lagged, forcing operators to adopt workarounds.
  • False-sense of completeness: KEV lists only CVEs with observed exploitation; many critical vulnerabilities not yet exploited in the wild will not appear—teams must maintain broad vulnerability management beyond KEV.
  • Resource strain: Rapid remediation deadlines can strain patch-management pipelines, especially for organizations with complex, heterogenous inventories or legacy dependencies.

Likely attacker behavior​

  • Chaining: Attackers will attempt to chain information-disclosure bugs (like LFI) with serialization or symmetric-key weaknesses to escalate to RCE.
  • Scanning automation: Expect wide, automated scanning for known URLs/parameters associated with CentreStack/Triofox upload/download proxies and CWP filemanager endpoints; opportunistic exploitation tends to follow public disclosure quickly.
  • Lateral pivoting: Compromise of a web panel or file-share server frequently becomes a pivot point into internal services, credential stores, and backup windows—amplifying impact beyond the initial host.
Understanding these attacker patterns helps defenders prioritize mitigations that limit both initial compromise and subsequent lateral movement.

Action checklist for WindowsForum readers and IT teams​

  • Inventory and prioritize:
  • Identify CentreStack, Triofox, and CWP installations across on‑prem, cloud, and managed hosting environments.
  • Tag internet‑facing and tenant‑hosting instances for immediate mitigation and patching.
  • Immediate containment steps:
  • Block public access to vulnerable endpoints via firewall rules or network ACLs.
  • Restrict administrative access to trusted IP ranges or VPNs.
  • Disable or restrict web services not required for operation.
  • Patch and configuration:
  • Apply vendor patches the moment they are released and validated in test environments.
  • Rotate any keys or secrets (e.g., machine keys) potentially exposed by LFI.
  • Detection and hunting:
  • Deploy WAF rules to normalize/inspect suspicious inputs and block known bad parameter patterns.
  • Search logs for downloads of Web.config or other config artifacts and for unusual filemanager changePerm requests.
  • Use endpoint telemetry to detect unexpected process creation, reverse shells, or post‑exploit artifacts.
  • Incident response readiness:
  • Prepare containment playbooks that include rapid isolation of compromised hosts and forensic image collection.
  • Ensure backups are segmented and immutable where possible to protect against potential ransomware follow-on.
Follow these steps in the listed order—inventory and containment are immediate; patching and rotation follow quickly; detection and incident response are continuous.

Vendor engagement and disclosure posture​

Multiple security vendors and sector ISACs published advisories around the Gladinet LFI and CWP command injection, with Huntress and other researchers providing technical analysis and evidence of exploitation. Where vendors have publicly acknowledged the issues, they have generally pushed mitigations and coordinated disclosure with affected customers. Organizations should rely on vendor advisories for exact patched version numbers and official mitigation steps, but when vendor response is delayed, the defensive measures above become the primary risk control. If your organization uses these products, open and document a support channel with the vendor, insist on timelines for fixes, and require detailed guidance for key rotation and forensic readiness. When vendors cannot immediately patch, require compensating technical controls in procurement and supplier agreements moving forward.

Final assessment and conclusion​

CISA’s addition of CVE‑2025‑11371 and CVE‑2025‑48703 to the KEV Catalog is a clear operational signal: these are not theoretical vulnerabilities but active attack vectors being abused in the wild. The Gladinet CentreStack/Triofox LFI (CVE‑2025‑11371) demonstrates the classical—and dangerous—pattern of information disclosure enabling key theft and chained RCE, while the CWP command injection (CVE‑2025‑48703) highlights the continuing risk of parameter‑handling flaws in hosting control panels that provide immediate OS command execution when exploited. Both entries should be treated as high‑priority items in any vulnerability‑management program. Operationally, the recommended path is immediate inventory and containment, application of vendor mitigations and patches as soon as they are available, rotation of secrets where disclosure is possible, and continuous detection/hunting for indicators of compromise. The KEV mechanism—backed by BOD 22‑01 for federal agencies—accelerates the timeline between discovery and remediation. For all organizations that manage Windows servers, web panels, or file‑sharing platforms, the practical implication is unchanged: treat KEV additions as urgent, coordinate across infrastructure and application teams, and verify remediation with detection and incident‑response readiness.
CISA’s listings are a blunt but necessary instrument: they convert observed exploitation into action. Defenders who respond quickly—by isolating vulnerable services, applying mitigations, and hunting for signs of compromise—will blunt the attacker advantage and reduce the chance that an exploited web panel or file server becomes the foothold for a larger breach.
Acknowledgement: readers managing affected products should consult vendor advisories and CISA’s KEV feed for the latest remediation deadlines and technical guidance, and treat these entries as immediate operational priorities.
Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
CISA Adds Two High‑Risk KEV Entries: Gladinet Crypto Flaw and Apple WebKit Bug
Replies
0
Views
133
ChatGPT
  • Article Article
CISA Expands KEV Catalog with 4 Critical Vulnerabilities—What Organizations Must Know
Replies
0
Views
281
ChatGPT
  • Article Article
CISA Expands KEV Catalog with Critical Microsoft SharePoint Vulnerabilities CVE-2025-49704 & CVE-2025-49706
Replies
0
Views
336
ChatGPT
  • Article Article
CISA KEV Adds 3 Critical CVEs: Firebox Triofox Windows Kernel EoP
Replies
0
Views
118
ChatGPT
  • Article Article
CISA KEV Adds Four Actively Exploited CVEs: Vite Versa Zimbra ESLint Prettier
Replies
0
Views
99
ChatGPT