Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
2nd Edition GlitchZone RHC 320x100 2
Banner Desktop
CISA Warns! New Bugs in Gladinet, Control Web Panel, and WordPress Expose Systems

CISA Warns! New Bugs in Gladinet, Control Web Panel, and WordPress Expose Systems

Redazione RHC : 5 November 2025 07:58

Two vulnerabilities related to Gladinet and Control Web Panel (CWP) have been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEVs), due to reports of active exploitation.

Due to intensive use, Federal Civilian Executive Branch (FCEB) agencies must take required actions to safeguard their networks by November 25, 2025.

The bugs included in the KEV catalog are as follows:

  • CVE-2025-11371 (CVSS Score: 7.5) – A vulnerability in externally accessible files or directories in Gladinet CentreStack and Triofox that could lead to unintended disclosure of system files.
  • CVE-2025-48703 (CVSS score: 9.0) – An operating system command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) leads to unauthenticated remote code execution via shell metacharacters in the t_total parameter in a file manager changePerm request.

Three more critical security bugs have also been added to three WordPress plugins and themes.

Users of WordPress sites that use the mentioned plugins and themes are therefore advised to update them to the latest version as soon as possible, use strong passwords, and monitor their sites for signs of malware or the presence of unexpected accounts.

  • CVE-2025-11533 (CVSS score: 9.8) – A privilege escalation vulnerability in WP Freeio that allows an unauthenticated attacker to grant themselves administrative privileges by specifying a user role during registration.
  • CVE-2025-5397 (CVSS score: 9.8) – An authentication bypass vulnerability in Noo JobMonster that allows unauthenticated attackers to bypass standard authentication and access administrative user accounts, assuming social login is enabled on a site.
  • CVE-2025-11833 (CVSS Score: 9.8) – Lack of authorization checks in Post SMTP allows an unauthenticated attacker to view email logs, including password reset emails, and change the password of any user, including an administrator, allowing site takeover.

The development comes just weeks after cybersecurity firm Huntress said it had detected active exploitation attempts targeting CVE-2025-11371, with unknown threat actors exploiting the flaw to execute reconnaissance commands (e.g., ipconfig /all) transmitted as a Base64-encoded payload.

Currently, there are no public reports of CVE-2025-48703 being used as a tool in real-world attacks. The technical details of the vulnerability were disclosed by security researcher Maxime Rinaudo in June 2025. This disclosure occurred shortly after the patch was applied in version 0.9.8.1205, following a responsible disclosure on May 13.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli