CISA adds two known exploited vulnerabilities to catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has included two additional vulnerabilities in its Known Exploited Vulnerabilities (KEV) Catalog, highlighting risks related to Gladinet CentreStack and Triofox as well as the CWP Control Web Panel.

The first vulnerability, identified as CVE-2025-11371, involves unauthorized external access to files or directories in Gladinet CentreStack and Triofox. The second, CVE-2025-48703, is a command injection flaw affecting the CWP Control Web Panel Operating System (OS). These vulnerabilities have been confirmed to be actively exploited. The advisory specifies no distinctions between the two vulnerabilities beyond their respective components and exploit conditions.

Exploitation of these vulnerabilities represents a common method employed by malicious actors and presents risks to federal enterprise systems.

CISA's Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch agencies address vulnerabilities listed in the KEV catalog by specified deadlines to secure FCEB networks. While BOD 22-01 applies only to federal agencies, CISA advises all organizations to conduct timely remediation of KEV catalog entries as part of their vulnerability management programs. The agency will continue updating the catalog with vulnerabilities that satisfy established criteria.

The update reaffirms BOD 22-01 as a framework to reduce exposure to KEV and supports federal objectives to mitigate cyber threats through structured vulnerability remediation.

iboss launches SSPM in its Zero Trust SASE platform

Salt Security releases Databricks connector and Netlify collector

Darling Ingredients selects Cato Networks for SASE