Active Exploitation Confirmed for Gladinet and CWP — Patch Now

CISA added CVE‑2025‑11371 (Gladinet CentreStack / Triofox — sensitive files disclosure) and CVE‑2025‑48703 (Control Web Panel — pre‑auth command injection) to the KEV catalog with evidence of active exploitation. Federal agencies must remediate by Nov 25, 2025. Related active WordPress exploitation (several 9.8 CVEs) increases risk to web‑facing infrastructure and shared hosting.

Immediate priorities (first 24–72 hours)

1. Inventory and scope
   • Identify any Gladinet CentreStack / Triofox and CWP instances (production, staging, backups, legacy) and list versions and public exposure.
2. Apply vendor fixes
   • Patch affected products to the vendor‑released versions that fix CVE‑2025‑11371 and CVE‑2025‑48703. If a vendor patch is not yet available, apply the mitigations below.
3. Isolate high‑risk assets
   • Restrict network access to management interfaces (WAF, firewall, security groups) to a small set of trusted IPs or VPNs.
4. Temporary mitigations
   • For CWP: block HTTP endpoints that handle the vulnerable filemanager changePerm request; implement WAF rules to drop requests containing suspicious shell metacharacters or the t_total parameter.
   • For Gladinet: deny direct public access to file/directory paths exposing system files; apply strict directory listing and permission rules.
5. Credential and session hygiene
   • Rotate service and admin credentials for any affected systems and revoke active sessions where compromise is possible.

Detection and hunting guidance

• Network indicators
  • Alert on requests to management/filemanager endpoints with unusual query parameters or base64 payloads, and on uncommon outbound connections from those hosts (recon/data exfil).
• Host indicators
  • Look for executed commands like ipconfig/ifconfig/netstat invoked by web server processes; unexpected binaries, reverse shells, or cron entries created near times of suspicious requests.
• Logs to check
  • Webserver/IIS logs, WAF logs, system auth logs, CWP and Gladinet application logs, backups and file timestamps.
• Behavioural patterns
  • Rapid creation of reconnaissance output or archive files in temporary directories; unexpected system file reads or downloads; new local user accounts or sudo additions.

Remediation and recovery steps if compromise suspected

1. Contain: isolate the affected host from production and block egress to unknown endpoints.
2. Preserve: collect full disk snapshot, memory image (if possible), webserver logs, and application logs before remediation.
3. Eradicate: remove webshells/backdoors, replace compromised binaries from clean sources, and patch the system.
4. Credential rotation: reset admin, API, and service account credentials; revoke OAuth tokens and certificates if used.
5. Rebuild: prefer rebuild from known-good images for hosts showing persistent indicators; restore data from verified backups.
6. Post‑incident monitoring: increase telemetry and retention for 30–90 days to detect any re‑infiltration or lateral movement.

Short- and long-term mitigations

• Short-term
  • Harden management interfaces behind VPN/jumpboxes; apply strict WAF rules for known exploit patterns; block attacker IPs and known cloud scanner ranges where appropriate.
  • Enforce strong RBAC and MFA for all admin accounts.
  • Audit backups and remove publicly accessible snapshots that might expose sensitive files.
• Long-term
  • Add affected products to vulnerability management and SBOM inventories; ensure automatic patching or rapid patch windows for internet‑facing appliances.
  • Implement network segmentation (management plane separated from application/data plane).
  • Deploy host EDR with behavior blocking and detection for web‑to‑shell techniques and command injections.
  • Regularly run authenticated discovery scans and authenticated web application tests against CWP/Gladinet endpoints.