Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Fortinet 320x100px
Redhotcyber Banner Sito 970x120px Uscita 101125
CISA Warns! New Bugs in Gladinet, Control Web Panel, and WordPress Expose Systems

CISA Warns! New Bugs in Gladinet, Control Web Panel, and WordPress Expose Systems

5 November 2025 07:58

Two vulnerabilities related to Gladinet and Control Web Panel (CWP) have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEVs), due to reports of active exploitation.

Due to intensive use, Federal Civilian Executive Branch (FCEB) agencies must take required actions to safeguard their networks by November 25, 2025.

The bugs included in the KEV catalog are as follows:

  • CVE-2025-11371 (CVSS Score: 7.5) – A vulnerability in externally accessible files or directories in Gladinet CentreStack and Triofox that could lead to unintended disclosure of system files.
  • CVE-2025-48703 (CVSS score: 9.0) – An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) leads to unauthenticated remote code execution via shell metacharacters in the t_total parameter in a file manager changePerm request.

Three more critical security bugs have also been added to three WordPress plugins and themes.

Users of WordPress sites that use the mentioned plugins and themes are therefore advised to update them to the latest version as soon as possible, use strong passwords, and monitor their sites for signs of malware or the presence of unexpected accounts.

  • CVE-2025-11533 (CVSS score: 9.8) – A privilege escalation vulnerability in WP Freeio that allows an unauthenticated attacker to grant themselves administrative privileges by specifying a user role during registration.
  • CVE-2025-5397 (CVSS score: 9.8) – An authentication bypass vulnerability in Noo JobMonster that allows unauthenticated attackers to bypass standard authentication and access administrative user accounts, assuming social login is enabled on a site.
  • CVE-2025-11833 (CVSS Score: 9.8) – Lack of authorization checks in Post SMTP allows an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, allowing site takeover.

The development comes just weeks after cybersecurity firm Huntress said it had detected active exploitation attempts targeting CVE-2025-11371, with unknown threat actors exploiting the flaw to execute reconnaissance commands (e.g., ipconfig /all) transmitted as a Base64-encoded payload.

Currently, there are no public reports of CVE-2025-48703 being used as a tool in real-world attacks. The technical details of the vulnerability were disclosed by security researcher Maxime Rinaudo in June 2025. This disclosure occurred shortly after the patch was applied in version 0.9.8.1205, following a responsible disclosure on May 13.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.