CISA flags two new exploited vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency has added two actively exploited vulnerabilities affecting Gladinet and Control Web Panel to its Known Exploited Vulnerabilities catalog, reports The Hacker News.

The first flaw, CVE-2025-11371, involves insecure file access in Gladinet CentreStack and Triofox, which could lead to system file exposure. The second, CVE-2025-48703, is a critical command injection flaw in CWP that allows unauthenticated remote code execution. Security researcher Maxime Rinaudo warned that it enables attackers with knowledge of a valid username to execute arbitrary commands on affected servers. CISA has ordered federal agencies to patch the vulnerabilities by November 25, 2025.

The announcement follows Wordfence reports of three high-severity flaws in WordPress plugins, WP Freeio, Noo JobMonster, and Post SMTP, that could allow attackers to bypass authentication or gain administrative access. Users are urged to update immediately and monitor for suspicious activity to prevent website compromise and data theft.