Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Home
Crowdstrike 320×100
Cyber Offensive Fundamentals 970x120 V0.1
CISA Warns! New Bugs in Gladinet, Control Web Panel, and WordPress Expose Systems

CISA Warns! New Bugs in Gladinet, Control Web Panel, and WordPress Expose Systems

5 November 2025 07:58

Two vulnerabilities related to Gladinet and Control Web Panel (CWP) have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEVs), due to reports of active exploitation.

Due to intensive use, Federal Civilian Executive Branch (FCEB) agencies must take required actions to safeguard their networks by November 25, 2025.

The bugs included in the KEV catalog are as follows:

  • CVE-2025-11371 (CVSS Score: 7.5) – A vulnerability in externally accessible files or directories in Gladinet CentreStack and Triofox that could lead to unintended disclosure of system files.
  • CVE-2025-48703 (CVSS score: 9.0) – An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) leads to unauthenticated remote code execution via shell metacharacters in the t_total parameter in a file manager changePerm request.

Three more critical security bugs have also been added to three WordPress plugins and themes.

Users of WordPress sites that use the mentioned plugins and themes are therefore advised to update them to the latest version as soon as possible, use strong passwords, and monitor their sites for signs of malware or the presence of unexpected accounts.

  • CVE-2025-11533 (CVSS score: 9.8) – A privilege escalation vulnerability in WP Freeio that allows an unauthenticated attacker to grant themselves administrative privileges by specifying a user role during registration.
  • CVE-2025-5397 (CVSS score: 9.8) – An authentication bypass vulnerability in Noo JobMonster that allows unauthenticated attackers to bypass standard authentication and access administrative user accounts, assuming social login is enabled on a site.
  • CVE-2025-11833 (CVSS Score: 9.8) – Lack of authorization checks in Post SMTP allows an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, allowing site takeover.

The development comes just weeks after cybersecurity firm Huntress said it had detected active exploitation attempts targeting CVE-2025-11371, with unknown threat actors exploiting the flaw to execute reconnaissance commands (e.g., ipconfig /all) transmitted as a Base64-encoded payload.

Currently, there are no public reports of CVE-2025-48703 being used as a tool in real-world attacks. The technical details of the vulnerability were disclosed by security researcher Maxime Rinaudo in June 2025. This disclosure occurred shortly after the patch was applied in version 0.9.8.1205, following a responsible disclosure on May 13.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Agostino Pellegrino 300x300
He is a freelancer, teacher and expert in Computer Forensics, Cyber Security and Ethical Hacking and Network Management. He has collaborated with leading educational institutions internationally and has practiced teaching and mentorship in advanced Offensive Security techniques for NATO obtaining major awards from the U.S. Government. His motto is "Study. Always."
Areas of Expertise: Cybersecurity architecture, Threat intelligence, Digital forensics, Offensive security, Incident response & SOAR, Malware analysis, Compliance & frameworks