Risk actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox merchandise, which permits a neighborhood attacker to entry system recordsdata with out authentication.
Not less than three firms have been focused to date. Though a patch isn’t but obtainable, clients can apply mitigations.
CentreStack and Triofox are Gladinet’s enterprise options for file sharing and distant entry that enable utilizing an organization’s personal storage as a cloud. In keeping with the seller, CentreStack “is utilized by 1000’s of companies from over 49 international locations.”
No repair, all variations affected
The zero-day vulnerability CVE-2025-11371 is a Native File Inclusion (LFI) flaw affecting the default set up and configuration of each merchandise, impacting all variations together with the most recent launch, 16.7.10368.56560.
Researchers at managed cybersecurity platform Huntress detected the security subject on September 27 when a menace actor efficiently exploited it to acquire a machine key and execute code remotely.
A more in-depth evaluation revealed that the difficulty was an LFI leveraged to learn the Internet.config and extract the machine key. This allowed the attacker to make use of an older deserialization vulnerability (CVE-2025-30406) and obtain distant code execution (RCE) by means of ViewState.
The CVE-2025-30406 deserialization bug in CentreStack and Triofox was additionally exploited within the wild in March, and was as a result of a hardcoded machine key. An attacker realizing the important thing might carry out RCE on an affected system.
“After subsequent evaluation, Huntress found exploitation of an unauthenticated native file inclusion vulnerability (CVE-2025-11371) that allowed a menace actor to retrieve the machine key from the appliance Internet.config file to carry out distant code execution by way of the aforementioned ViewState deserialization vulnerability” – Huntress
Huntress contacted Gladinet to allow them to know the discovering. The seller confirmed that it was conscious of the vulnerability and stated that it was within the technique of notifying clients of a workaround till a patch is offered.
The researchers shared the mitigation with the focused buyer and printed the next suggestions to guard towards CVE-2025-11371:
- Disable the temp handler within the Internet.config file for the UploadDownloadProxy part at “C:Program Information (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config”
- Find and take away the road that defines the temp handler — it factors to t.dn
Supply: Huntress
This line permits the weak performance that attackers exploit by way of Native File Inclusion, so eradicating it prevents exploitation of CVE-2025-11371.
The researchers warn that the mitigations “will influence some performance of the platform,” however guarantee that the vulnerability can’t be exploited.
Be a part of the Breach and Attack Simulation Summit and expertise the way forward for security validation. Hear from high consultants and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that can form the way forward for your security technique
