Risk actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox merchandise, which permits a neighborhood attacker to entry system recordsdata with out authentication.
At the very least three corporations have been focused to date. Though a patch will not be but out there, clients can apply mitigations.
CentreStack and Triofox are Gladinet’s enterprise options for file sharing and distant entry that permit utilizing an organization’s personal storage as a cloud. In line with the seller, CentreStack “is utilized by 1000’s of companies from over 49 international locations.”
No repair, all variations affected
The zero-day vulnerability CVE-2025-11371 is a Native File Inclusion (LFI) flaw affecting the default set up and configuration of each merchandise, impacting all variations together with the newest launch, 16.7.10368.56560.
Researchers at managed cybersecurity platform Huntress detected the safety challenge on September 27 when a risk actor efficiently exploited it to acquire a machine key and execute code remotely.
A better evaluation revealed that the problem was an LFI leveraged to learn the Net.config and extract the machine key. This allowed the attacker to make use of an older deserialization vulnerability (CVE-2025-30406) and obtain distant code execution (RCE) by way of ViewState.
The CVE-2025-30406 deserialization bug in CentreStack and Triofox was additionally exploited within the wild in March, and was attributable to a hardcoded machine key. An attacker understanding the important thing might carry out RCE on an affected system.
“After subsequent evaluation, Huntress found exploitation of an unauthenticated native file inclusion vulnerability (CVE-2025-11371) that allowed a risk actor to retrieve the machine key from the appliance Net.config file to carry out distant code execution by way of the aforementioned ViewState deserialization vulnerability” – Huntress
Huntress contacted Gladinet to allow them to know the discovering. The seller confirmed that it was conscious of the vulnerability and stated that it was within the technique of notifying clients of a workaround till a patch is accessible.
The researchers shared the mitigation with the focused buyer and revealed the next suggestions to guard towards CVE-2025-11371:
- Disable the temp handler within the Net.config file for the UploadDownloadProxy part at “C:Program Recordsdata (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config”
- Find and take away the road that defines the temp handler — it factors to t.dn
Supply: Huntress
This line allows the susceptible performance that attackers exploit by way of Native File Inclusion, so eradicating it prevents exploitation of CVE-2025-11371.
The researchers warn that the mitigations “will impression some performance of the platform,” however ensure that the vulnerability can’t be exploited.
Be a part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from high consultants and see how AI-powered BAS is remodeling breach and assault simulation.
Do not miss the occasion that may form the way forward for your safety technique
