CISA Adds Gladinet and CWP Flaws to Exploited List

**CISA Adds Gladinet and CWP Flaws to Exploited List**

**Why Security Leaders Can’t Afford to Overlook These Newly Exploited Vulnerabilities**

Imagine this: a seemingly minor flaw in a file-sharing platform or web panel quietly gives attackers full control over your internal systems. It’s not just possible—it’s happening. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added two critical vulnerabilities affecting Gladinet’s CentreStack and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog.

This list isn’t just advisory—it’s a call to action, especially for federal agencies and organizations managing sensitive infrastructures. Why? Because KEV-listed vulnerabilities are actively exploited in the wild, posing serious threats to business continuity, data integrity, and operational resilience.

Here’s what’s at stake:
– Unauthenticated remote code execution in CentreStack (CVE-2024-2389)
– Arbitrary code execution in CWP (CVE-2022-44877)

Both are considered high-severity and have already been weaponized by threat actors—from cybercriminals to state-sponsored groups.

In this post, we’ll break down both vulnerabilities, understand how attackers are leveraging them, and outline what security leaders like you can do right now to prevent a breach.

**Understanding the Threat: What’s Being Exploited**

The CentreStack and CWP vulnerabilities are serious not just because of their technical depth, but because of how commonly these platforms are used.

**Gladinet’s CentreStack (CVE-2024-2389)** allows unauthenticated remote code execution. In simpler terms, attackers don’t need login credentials—they can simply interact with a vulnerable endpoint (specifically, the “Upload.ashx” handler) and execute malicious commands on the server. This is a worst-case scenario for any IT administrator. Once in, attackers can install malware, exfiltrate data, or pivot to other parts of the network.

**CWP’s flaw (CVE-2022-44877)** is a command injection vulnerability that similarly allows unauthenticated attackers to run arbitrary commands. Control Web Panel is widely used by hosting providers and IT management teams because it simplifies Linux server administration. But its popularity also makes it a juicy target.

The KEV designation reinforces that these exploits aren’t theoretical:
– CentreStack’s vulnerability was confirmed to have working proof-of-concept code available publicly within weeks of its disclosure.
– According to data from Recorded Future, nearly 40% of KEV vulnerabilities are weaponized within 10 days of public disclosure.

Given this, leadership teams need to treat KEV additions as red-alert signals—not just another patch to schedule.

**How Attackers Are Weaponizing These Flaws**

Once a flaw lands on the KEV list, it gains the attention of a broader swath of cyber adversaries. Here’s what that means in practice:

1. **Automation accelerates compromise.** Tools like Shodan or Censys help attackers find exposed CentreStack or CWP instances. Once found, the exploitation process is often automated—scripts complete the entire attack chain.
2. **No authentication required = rapid escalation.** Since both flaws are unauthenticated, attackers don’t need to guess passwords or bypass multi-factor authentication. That bypasses one of your key defenses.
3. **Initial access is only the beginning.** After gaining access, attackers often load tools like Cobalt Strike or Meterpreter to maintain persistence and lateral movement. This turns an initial breach into a full-blown incident.

Here’s a breakdown of how these exploits unfold:

– **Step 1:** Vulnerability scan identifies an exposed system (e.g., CentreStack server).
– **Step 2:** Public exploit code is executed, taking advantage of the upload handler or CWP panel.
– **Step 3:** Malicious payload is delivered and executed—no user interaction needed.
– **Step 4:** Control of the server is gained, logs potentially wiped, alerting mechanisms disabled.
– **Step 5:** Secondary objectives carried out—ransomware deployment, credential harvesting, or backdoor installation.

One key reason these types of attacks succeed is slow patch adoption. According to a 2023 Ponemon study, 56% of organizations take more than five days to apply even critical patches. That’s five days too many when exploitation begins within hours.

**What Security Teams Should Do Right Now**

The good news: both vulnerabilities have patches available. The urgent task is ensuring they’re applied without delay. Here’s what you need to do:

**1. Identify Affected Assets**
– Conduct asset discovery scans for CentreStack and CWP deployments.
– Review cloud configurations and on-prem services—these platforms are commonly self-hosted and outside traditional patching workflows.

**2. Patch Immediately**
– For CentreStack, update to the latest version released by Gladinet (check your version using the CentreStack admin console).
– For CWP, update to at least version 0.9.8.1147, which contains the fix.

**3. Review Logs for Signs of Exploitation**
– Look for unusual activity involving `Upload.ashx` (CentreStack) or suspicious PHP requests to the CWP panel.
– Check for new admin users created, unexpected restarts, or base64-encoded inputs (a common signature in command injection).

**4. Harden Your Environment**
Even after patching, secure your perimeter:
– Implement strict firewall rules and limit public-facing admin panels.
– Consider isolating CentreStack and CWP instances from critical network segments.
– Enforce strong endpoint detection and response (EDR) solutions.

**5. Pay Attention to KEV Catalog Updates**
The KEV catalog is one of the most valuable but underutilized resources. You and your team should:
– Subscribe to CISA alerts for immediate visibility.
– Integrate KEV watchlists into your SIEM or vulnerability management tools.
– Prioritize remediation of newly added entries immediately, not eventually.

**Conclusion: React Faster Than the Attackers**

When CISA adds a vulnerability to its Known Exploited Vulnerabilities catalog, it’s more than a bureaucratic update—it’s a flashing siren for security leaders and IT teams. With CentreStack and CWP now officially on that list, delaying action increases your organization’s risk profile in measurable ways.

You don’t need a full architectural overhaul—just focused, urgent action:
– Find where these services exist in your environment.
– Apply patches now—not next week.
– Monitor and hunt for signatures of recent exploits.

At a time when speed defines both the attacker and defender advantage, your ability to respond quickly is what protects your systems, your data, and your customers. So take this update seriously—and make sure your team does, too.

**Next Steps:**
– Schedule a rapid-response meeting to review exposure across your IT assets.
– Designate KEV monitoring as an operational priority.
– Use this incident to develop or refine your zero-day response playbook.

Vulnerabilities don’t rest. Neither can we.