U.S. CISA adds Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple and Gladinet CentreStack and Triofox flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

• CVE-2025-43529 – Apple Multiple Products Use-After-Free WebKit Vulnerability;
• CVE-2025-14611 – Gladinet CentreStack and Triofox Hard Coded Cryptographic Vulnerability;

Last week, Apple and Google both pushed out urgent security updates after uncovering a highly targeted attacks against an unknown number of users. The attacks abused zero‑day vulnerabilities in their software. The campaigns appear to involve nation-state actors and commercial spyware vendors, with a focus on specific high‑value individuals rather than mass exploitation.

Apple released updates for iPhones, iPads, Macs, and more, fixing two WebKit flaws (CVE-2025-14174, CVE-2025-43529) likely exploited in targeted iOS 26 attacks.

“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26.” states the advisory.

Apple and Google did not provide further information on the attacks. 

The vulnerability CVE-2025-43529 is a use-after-free flaw in Apple’s WebKit engine, the component responsible for processing web content. When WebKit mishandles memory, it may continue to access a portion of memory after it has already been freed. By delivering specially crafted web content, an attacker can trigger this condition, causing memory corruption. In practice, this can lead to application crashes or, in more serious cases, arbitrary code execution. The issue affects Safari and any Apple or third-party applications that rely on WebKit to parse and render HTML across iOS, iPadOS, macOS, and related platforms.

The second issue added to the catalog is CVE-2025-14611, a hardcoded cryptographic keys vulnerability in Gladinet CentreStack and TrioFox, where fixed AES encryption keys are embedded directly in the software. Because these keys are not unique or secret, attackers can recover them and decrypt or manipulate protected data. When this weak encryption is used on publicly exposed endpoints, it significantly reduces security. An unauthenticated attacker can exploit the issue with a specially crafted request to bypass protections and potentially achieve arbitrary local file inclusion, allowing access to sensitive files on the underlying system.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by January 5, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)