CISA has expanded its Known Exploited Vulnerabilities (KEV) catalog with critical flaws in Gladinet CentreStack/Triofox and Apple WebKit components, confirming active real-world exploitation that demands immediate remediation across enterprise and consumer environments. These additions trigger mandatory deadlines for U.S. federal agencies under BOD 22-01 while serving as a high-priority alert for all organizations managing affected platforms. Security teams should prioritize scanning, patching, and monitoring to disrupt ongoing attack chains targeting file-sharing servers and browser engines.
Gladinet CentreStack/Triofox: CVE-2025-14611 Breakdown
The Gladinet vulnerability, CVE-2025-14611, exposes hardcoded cryptographic keys within CentreStack and Triofox file-sharing platforms, enabling attackers to decrypt protected data, tamper with integrity checks, and chain into local file inclusion (LFI) for remote code execution. Paired with the unauthenticated LFI in CVE-2025-11371, adversaries can extract sensitive configs like web.config or machine keys, then exploit .NET ViewState deserialization to run arbitrary commands on exposed instances. These flaws hit managed service providers (MSPs) and remote access setups hard, where unpatched servers become persistent footholds for data exfiltration or lateral movement.
Apple WebKit Zero-Days: CVE-2025-43529 and CVE-2025-14174
Apple’s WebKit engine faces dual zero-days added to KEV: CVE-2025-43529, a use-after-free bug allowing arbitrary code execution via malicious web content, and CVE-2025-14174, a memory corruption issue in WebKit/ANGLE paths reachable through crafted HTML. These affect iOS/iPadOS 26.x prior to 26.2, macOS, watchOS, tvOS, visionOS, and Safari, with Apple confirming sophisticated targeted attacks involving spyware deployment. Enterprises with high-value executive devices or MDM-managed Apple fleets face elevated risks from drive-by browser compromises, especially given overlaps with Chrome exploit trends.
Enterprise Remediation Roadmap
- Gladinet/Triofox: Deploy Gladinet’s latest patches immediately; for unpatchable legacy installs, isolate servers behind VPN/WAF, block LFI paths like /api/file, and hunt for indicators like anomalous ViewState requests or decrypted key usage in logs.
- Apple WebKit: Roll out iOS/iPadOS 26.2+, equivalent macOS/Safari/watchOS/tvOS/visionOS updates via MDM with compliance enforcement; scan for pre-patch exposure, prioritize VIP/remote users, and monitor WebKit crashes or sandbox escapes.
- Broader KEV Workflow: Integrate these into Qualys/Tenable scans with custom QIDs for WebKit versions and Gladinet endpoints; align SLAs to CISA deadlines, and layer defenses with browser content filtering plus EDR rules for post-exploitation artifacts.
These KEV entries underscore persistent threats to collaboration tools and browsers—proactive patching now prevents adversaries from chaining flaws into full network dominance, buying time against evolving spyware and ransomware campaigns.
