The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added two safety flaws impacting Gladinet and Management Internet Panel (CWP) to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation within the wild.
The vulnerabilities in query are listed under –
- CVE-2025-11371 (CVSS rating: 7.5) – A vulnerability in recordsdata or directories accessible to exterior events in Gladinet CentreStack and Triofox that might end in unintended disclosure of system recordsdata.
- CVE-2025-48703 (CVSS rating: 9.0) – An working system command injection vulnerability in Management Internet Panel (previously CentOS Internet Panel) that leads to unauthenticated distant code execution by way of shell metacharacters within the t_total parameter in a filemanager changePerm request.
The event comes weeks after cybersecurity firm Huntress mentioned it detected lively exploitation makes an attempt focusing on CVE-2025-11371, with unknown risk actors leveraging the flaw to run reconnaissance instructions (e.g., ipconfig /all) handed within the type of a Base64-encoded payload.
Nonetheless, there are at the moment no public stories on how CVE-2025-48703 is being weaponized in real-world assaults. Nonetheless, technical particulars of the flaw had been shared by safety researcher Maxime Rinaudo in June 2025, shortly after it was patched in model 0.9.8.1205 following accountable disclosure on Could 13.
“It permits a distant attacker who is aware of a sound username on a CWP occasion to execute pre-authenticated arbitrary instructions on the server,” Rinaudo mentioned.
In mild of lively exploitation, Federal Civilian Government Department (FCEB) businesses are required to use the required fixes by November 25, 2025, to safe their networks.
The addition of the 2 flaws to the KEV catalog follows stories from Wordfence concerning the exploitation of vital safety vulnerabilities impacting three WordPress plugins and themes –
- CVE-2025-11533 (CVSS rating: 9.8) – A privilege escalation vulnerability in WP Freeio that makes it attainable for an unauthenticated attacker to grant themselves administrative privileges by specifying a person function throughout registration.
- CVE-2025-5397 (CVSS rating: 9.8) – An authentication bypass vulnerability in Noo JobMonster that makes it attainable for unauthenticated attackers to sidestep customary authentication and entry administrative person accounts, assuming social login is enabled on a website.
- CVE-2025-11833 (CVSS rating: 9.8) – An absence of authorization checks in Publish SMTP that makes it attainable for an unauthenticated attacker to view electronic mail logs, together with password reset emails, and alter the password of any person, together with an administrator, permitting website takeover.
WordPress website customers counting on the aforementioned plugins and themes are beneficial to replace them to the newest model as quickly as attainable, use robust passwords, and audit the websites for indicators of malware or the presence of sudden accounts.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits in the present day: learn extra, subscribe to our publication, and turn out to be a part of the NextTech neighborhood at NextTech-news.com
