(TLP:CLEAR) Weekly Vulnerabilities to Prioritize – November 6, 2025

The below vulnerabilities have been identified by WaterISAC analysts as important for water and wastewater utilities to prioritize in their vulnerability management efforts. WaterISAC shares critical vulnerabilities that affect widely used products and may be under active exploitation. WaterISAC draws additional awareness in alerts and advisories when vulnerabilities are confirmed to be impacting, or have a high likelihood of impacting, water and wastewater utilities. Members are encouraged to regularly review these vulnerabilities, many of which are often included in CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Cisco Unified Contact Center Express (UCCX) Remote Code Execution Vulnerability
CVSS v3.1: 9.8
CVE: CVE-2025-20354
Description: A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system. This vulnerability is due to improper authentication mechanisms that are associated to specific Cisco Unified CCX features. An attacker could exploit this vulnerability by uploading a crafted file to an affected system through the Java RMI process. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system and elevate privileges to root.
Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ
Additional Reading:  

• Critical Cisco UCCX flaw lets attackers run commands as root

CWP Control Web Panel OS Command Injection Vulnerability
CVSS v3.1: 9.0
CVE: CVE-2025-48703
Description: CWP (aka Control Web Panel or CentOS Web Panel) before 0.9.8.1205 allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known. CISA has added this vulnerability to its KEV catalog.
Source: https://fenrisk.com/rce-centos-webpanel
Additional Reading:  

• CISA warns of critical CentOS Web Panel bug exploited in attacks

XWiki Platform Eval Injection Vulnerability
CVSS v3.1: 9.8
CVE: CVE-2025-24893
Description: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed. CISA has added this vulnerability to its KEV catalog.
Source: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j

Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
CVSS: N/A
CVEs: CVE-2025-11371
Description: In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.  This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560. CISA has added this vulnerability to its KEV catalog.
Source: https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw

Broadcom VMware Aria Operations and VMware Tools Privilege Defined with Unsafe Actions Vulnerability
CVSS v3.1: 7.8
CVE: CVE-2025-41244
Description: VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. CISA has added this vulnerability to its KEV catalog.
Source:https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149