CISA Flags Active Exploitation of 2025 Gladinet CentreStack, Triofox, and CWP Control Web Panel Flaws
Executive Summary
In November 2025, the Cybersecurity and Infrastructure Security Agency (CISA) identified and announced active exploitation of two critical vulnerabilities: CVE-2025-11371 in Gladinet CentreStack and Triofox (files or directories exposed to external parties), and CVE-2025-48703 in CWP Control Web Panel (an OS command injection flaw). Threat actors are leveraging these weaknesses to gain unauthorized file access or execute malicious code within affected environments, targeting organizations across sectors. The vulnerabilities enable lateral movement, data exfiltration, and potentially full compromise, with significant risk to sensitive data, business operations, and regulatory posture for organizations running vulnerable systems.
This announcement underscores a broader trend of attackers exploiting unpatched software vulnerabilities in common enterprise tools. With automatic exploitation kits and a growing focus on file-sharing and web panel infrastructure, organizations face urgent pressure to accelerate vulnerability management and adopt Zero Trust practices to contain and monitor internal threats.
Why This Matters Now
The immediate, active exploitation of these vulnerabilities puts countless public and private sector organizations at risk of data breaches, business disruption, and compliance violations. With attackers rapidly automating campaigns against exposed systems, there is a critical need to identify, patch, and monitor vulnerable assets to prevent compromise.
Attack Path Analysis
Attackers exploited exposed vulnerabilities in Gladinet CentreStack or CWP Control Web Panel to gain an initial foothold. Following access, they sought to escalate privileges or access sensitive files and directories. Using this elevated access, adversaries moved laterally within internal networks or cloud service environments to discover additional systems. They established command and control channels to maintain persistence and receive instructions. Sensitive data was then exfiltrated via outbound connections. The attack culminated in operational impact, such as data exposure or interruption of business processes.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known vulnerabilities (CVE-2025-11371 or CVE-2025-48703) in public-facing applications to gain unauthorized access.
Related CVEs
CVE-2025-11371
CVSS 7.5An unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and Triofox allows unintended disclosure of system files.
Affected Products:
Gladinet CentreStack – <= 16.7.10368.56560
Gladinet Triofox – <= 16.7.10368.56560
Exploit Status:
exploited in the wildCVE-2025-48703
CVSS 9.8CWP (Control Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request.
Affected Products:
Control Web Panel CWP – < 0.9.8.1205
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Exploitation for Privilege Escalation
Valid Accounts
Ingress Tool Transfer
Impair Defenses
Remote Services: Remote Desktop Protocol
Exfiltration Over Alternative Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Web Application Vulnerabilities
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA (Regulation (EU) 2022/2554) – ICT Risk Management – Identification and Protection
Control ID: Article 9.2
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Inventory and Remediate Known and Exploited Vulnerabilities
Control ID: Asset Management – Vulnerability Management
NIS2 Directive (EU) 2022/2555 – Technical and Organizational Measures
Control ID: Article 21.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory remediation under BOD 22-01 for CVE-2025-11371 and CVE-2025-48703, requiring immediate vulnerability management and compliance action.
Information Technology/IT
IT service providers using CentreStack, Triofox, or CWP face critical exposure to file access and command injection exploits requiring urgent patching.
Financial Services
Banking institutions with web control panels and file management systems risk data exposure through active exploitation of known vulnerabilities affecting encrypted traffic.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance risks from file accessibility vulnerabilities and command injection attacks targeting patient data protection systems.
Sources
- CISA Adds Two Known Exploited Vulnerabilities to Cataloghttps://www.cisa.gov/news-events/alerts/2025/11/04/cisa-adds-two-known-exploited-vulnerabilities-catalogVerified
- Gladinet CentreStack and Triofox Local File Inclusion Flawhttps://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flawVerified
- CWP Control Web Panel OS Command Injection Vulnerabilityhttps://fenrisk.com/rce-centos-webpanelVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, egress filtering, and inline intrusion prevention would have provided early detection, reduced attack surface, and limited lateral movement and data exfiltration. CNSF-aligned controls enforce least privilege, inspect traffic, and rapidly alert on suspicious behaviors at each stage, minimizing overall attack impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline detection and policy enforcement would detect and block suspicious exploit traffic.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation and least privilege boundaries prevent cross-access to privileged services.
Control: East-West Traffic Security
Mitigation: Internal traffic inspection detects and blocks unauthorized workload-to-workload movement.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 activity is detected and blocked based on policy and threat intelligence.
Control: Egress Security & Policy Enforcement
Mitigation: Data loss is prevented by restricting and monitoring outbound connectivity.
Rapid detection and response limits operational impact.
Impact at a Glance
Affected Business Functions
- File Sharing Services
- Web Hosting Services
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system files and unauthorized remote code execution leading to data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Prioritize patching of all systems affected by KEV-listed vulnerabilities such as those in CentreStack and CWP Control Web Panel.
- • Implement Zero Trust segmentation and least privilege access to isolate workloads and reduce lateral movement opportunities.
- • Enforce egress filtering and outbound policy controls to block unauthorized C2 and data exfiltration.
- • Deploy threat detection and anomaly response tooling to monitor for exploit patterns and abnormal behaviors across cloud environments.
- • Leverage inline cloud-native enforcement, east-west inspection, and centralized visibility for rapid detection, investigation, and mitigation of emerging threats.
