{"id":769,"date":"2025-11-05T09:21:02","date_gmt":"2025-11-05T09:21:02","guid":{"rendered":"https:\/\/www.securesteps.tn\/cisa-adds-gladinet-and-cwp-flaws-to-exploited-list\/"},"modified":"2025-11-05T09:21:02","modified_gmt":"2025-11-05T09:21:02","slug":"cisa-adds-gladinet-and-cwp-flaws-to-exploited-list","status":"publish","type":"post","link":"https:\/\/www.securesteps.tn\/ar\/cisa-adds-gladinet-and-cwp-flaws-to-exploited-list\/","title":{"rendered":"CISA Adds Gladinet and CWP Flaws to Exploited List"},"content":{"rendered":"

**CISA Adds Gladinet and CWP Flaws to Exploited List**<\/p>\n

**Why Security Leaders Can\u2019t Afford to Overlook These Newly Exploited Vulnerabilities**<\/p>\n

Imagine this: a seemingly minor flaw in a file-sharing platform or web panel quietly gives attackers full control over your internal systems. It\u2019s not just possible\u2014it\u2019s happening. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added two critical vulnerabilities affecting Gladinet\u2019s CentreStack and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n

This list isn\u2019t just advisory\u2014it\u2019s a call to action, especially for federal agencies and organizations managing sensitive infrastructures. Why? Because KEV-listed vulnerabilities are actively exploited in the wild, posing serious threats to business continuity, data integrity, and operational resilience.<\/p>\n

Here\u2019s what\u2019s at stake:
\n– Unauthenticated remote code execution in CentreStack (CVE-2024-2389)
\n– Arbitrary code execution in CWP (CVE-2022-44877)<\/p>\n

Both are considered high-severity and have already been weaponized by threat actors\u2014from cybercriminals to state-sponsored groups.<\/p>\n

In this post, we\u2019ll break down both vulnerabilities, understand how attackers are leveraging them, and outline what security leaders like you can do right now to prevent a breach.<\/p>\n

**Understanding the Threat: What\u2019s Being Exploited**<\/p>\n

The CentreStack and CWP vulnerabilities are serious not just because of their technical depth, but because of how commonly these platforms are used.<\/p>\n

**Gladinet\u2019s CentreStack (CVE-2024-2389)** allows unauthenticated remote code execution. In simpler terms, attackers don\u2019t need login credentials\u2014they can simply interact with a vulnerable endpoint (specifically, the \u201cUpload.ashx\u201d handler) and execute malicious commands on the server. This is a worst-case scenario for any IT administrator. Once in, attackers can install malware, exfiltrate data, or pivot to other parts of the network.<\/p>\n

**CWP\u2019s flaw (CVE-2022-44877)** is a command injection vulnerability that similarly allows unauthenticated attackers to run arbitrary commands. Control Web Panel is widely used by hosting providers and IT management teams because it simplifies Linux server administration. But its popularity also makes it a juicy target.<\/p>\n

The KEV designation reinforces that these exploits aren\u2019t theoretical:
\n– CentreStack\u2019s vulnerability was confirmed to have working proof-of-concept code available publicly within weeks of its disclosure.
\n– According to data from Recorded Future, nearly 40% of KEV vulnerabilities are weaponized within 10 days of public disclosure.<\/p>\n

Given this, leadership teams need to treat KEV additions as red-alert signals\u2014not just another patch to schedule.<\/p>\n

**How Attackers Are Weaponizing These Flaws**<\/p>\n

Once a flaw lands on the KEV list, it gains the attention of a broader swath of cyber adversaries. Here\u2019s what that means in practice:<\/p>\n

1. **Automation accelerates compromise.** Tools like Shodan or Censys help attackers find exposed CentreStack or CWP instances. Once found, the exploitation process is often automated\u2014scripts complete the entire attack chain.
\n2. **No authentication required = rapid escalation.** Since both flaws are unauthenticated, attackers don\u2019t need to guess passwords or bypass multi-factor authentication. That bypasses one of your key defenses.
\n3. **Initial access is only the beginning.** After gaining access, attackers often load tools like Cobalt Strike or Meterpreter to maintain persistence and lateral movement. This turns an initial breach into a full-blown incident.<\/p>\n

Here\u2019s a breakdown of how these exploits unfold:<\/p>\n

– **Step 1:** Vulnerability scan identifies an exposed system (e.g., CentreStack server).
\n– **Step 2:** Public exploit code is executed, taking advantage of the upload handler or CWP panel.
\n– **Step 3:** Malicious payload is delivered and executed\u2014no user interaction needed.
\n– **Step 4:** Control of the server is gained, logs potentially wiped, alerting mechanisms disabled.
\n– **Step 5:** Secondary objectives carried out\u2014ransomware deployment, credential harvesting, or backdoor installation.<\/p>\n

One key reason these types of attacks succeed is slow patch adoption. According to a 2023 Ponemon study, 56% of organizations take more than five days to apply even critical patches. That\u2019s five days too many when exploitation begins within hours.<\/p>\n

**What Security Teams Should Do Right Now**<\/p>\n

The good news: both vulnerabilities have patches available. The urgent task is ensuring they\u2019re applied without delay. Here\u2019s what you need to do:<\/p>\n

**1. Identify Affected Assets**
\n– Conduct asset discovery scans for CentreStack and CWP deployments.
\n– Review cloud configurations and on-prem services\u2014these platforms are commonly self-hosted and outside traditional patching workflows.<\/p>\n

**2. Patch Immediately**
\n– For CentreStack, update to the latest version released by Gladinet (check your version using the CentreStack admin console).
\n– For CWP, update to at least version 0.9.8.1147, which contains the fix.<\/p>\n

**3. Review Logs for Signs of Exploitation**
\n– Look for unusual activity involving `Upload.ashx` (CentreStack) or suspicious PHP requests to the CWP panel.
\n– Check for new admin users created, unexpected restarts, or base64-encoded inputs (a common signature in command injection).<\/p>\n

**4. Harden Your Environment**
\nEven after patching, secure your perimeter:
\n– Implement strict firewall rules and limit public-facing admin panels.
\n– Consider isolating CentreStack and CWP instances from critical network segments.
\n– Enforce strong endpoint detection and response (EDR) solutions.<\/p>\n

**5. Pay Attention to KEV Catalog Updates**
\nThe KEV catalog is one of the most valuable but underutilized resources. You and your team should:
\n– Subscribe to CISA alerts for immediate visibility.
\n– Integrate KEV watchlists into your SIEM or vulnerability management tools.
\n– Prioritize remediation of newly added entries immediately, not eventually.<\/p>\n

**Conclusion: React Faster Than the Attackers**<\/p>\n

When CISA adds a vulnerability to its Known Exploited Vulnerabilities catalog, it\u2019s more than a bureaucratic update\u2014it\u2019s a flashing siren for security leaders and IT teams. With CentreStack and CWP now officially on that list, delaying action increases your organization\u2019s risk profile in measurable ways.<\/p>\n

You don\u2019t need a full architectural overhaul\u2014just focused, urgent action:
\n– Find where these services exist in your environment.
\n– Apply patches now\u2014not next week.
\n– Monitor and hunt for signatures of recent exploits.<\/p>\n

At a time when speed defines both the attacker and defender advantage, your ability to respond quickly is what protects your systems, your data, and your customers. So take this update seriously\u2014and make sure your team does, too.<\/p>\n

**Next Steps:**
\n– Schedule a rapid-response meeting to review exposure across your IT assets.
\n– Designate KEV monitoring as an operational priority.
\n– Use this incident to develop or refine your zero-day response playbook.<\/p>\n

Vulnerabilities don\u2019t rest. Neither can we.<\/span><\/p>","protected":false},"excerpt":{"rendered":"

**CISA Adds Gladinet and CWP Flaws to Exploited List** **Why Security Leaders Can\u2019t Afford to Overlook These Newly Exploited Vulnerabilities** Imagine this: a seemingly minor flaw in a file-sharing platform or web panel quietly gives attackers full control over your internal systems. It\u2019s not just possible\u2014it\u2019s happening. The U.S. Cybersecurity […]<\/p>\n","protected":false},"author":2,"featured_media":770,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[37],"tags":[],"class_list":["post-769","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-security-fr"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/posts\/769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/comments?post=769"}],"version-history":[{"count":0,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/posts\/769\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/media\/770"}],"wp:attachment":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/media?parent=769"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/categories?post=769"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/tags?post=769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}