Active Exploitation of Unpatched LFI Vulnerability in Gladinet CentreStack and TrioFox (CVE-2025-11371)
Attackers are actively exploiting a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox file-sharing and remote access platforms. This vulnerability is an unauthenticated local file inclusion (LFI) flaw that allows threat actors to access sensitive system files, including the application’s Web.config file. By retrieving the machine key from this configuration file, attackers can leverage a previously patched vulnerability, CVE-2025-30406, to achieve remote code execution (RCE) through ViewState deserialization attacks. Huntress, a cybersecurity firm, first detected exploitation of this flaw on September 26-27, 2025, and has confirmed that at least three customers have been impacted so far. The vulnerability affects all versions of CentreStack and TrioFox up to and including 16.7.10368.56560, and there is currently no official patch available from Gladinet. Both self-hosted and cloud-hosted deployments of these platforms are at risk, as the flaw impacts default installations and configurations. The exploitation chain involves using the LFI to extract the machine key, which is then used to craft malicious ViewState payloads that bypass integrity checks and enable arbitrary code execution on the server. Notably, Huntress observed successful exploitation even on systems that had already patched CVE-2025-30406, indicating that the previous fix was insufficient to fully mitigate the risk. In response, Huntress and other security experts recommend disabling the "temp" handler within the UploadDownloadProxy Web.config file as an immediate mitigation, though this may impact some platform functionality. Gladinet has acknowledged the vulnerability and its active exploitation but has not yet released a patch, urging customers to implement the recommended mitigations. The affected products are widely used by managed service providers, small businesses, and enterprises for secure file access and sharing, increasing the potential impact of this vulnerability. Attackers exploiting this flaw can gain full control over affected servers, leading to data theft, lateral movement, or further compromise of organizational networks. Security researchers are withholding some technical details to prevent further exploitation while a patch is developed. Organizations using CentreStack or TrioFox should urgently review their configurations and apply the recommended mitigations to reduce exposure. The incident highlights the risks associated with chained vulnerabilities and the importance of defense-in-depth strategies. Ongoing monitoring and threat detection are advised until a permanent fix is available. The situation remains fluid, with active exploitation continuing and the vendor working on a security update.
Timeline
Oct 17, 2025
Public proof-of-concept details increase exploitation risk
By the time the fix was reported, proof-of-concept exploit details for CVE-2025-11371 had been published publicly. This raised the likelihood of broader opportunistic attacks against unpatched or unmitigated systems.
Oct 17, 2025
Gladinet releases CentreStack patch for CVE-2025-11371
Gladinet released CentreStack version 16.10.10408.56683 to address the actively exploited zero-day. Organizations unable to upgrade were still advised to use the temp-handler mitigation.
Oct 16, 2025
Nuclei detection template for CVE-2025-11371 is proposed
A ProjectDiscovery GitHub pull request was opened to add a Nuclei template for detecting CVE-2025-11371 in Gladinet CentreStack and TrioFox. The submission referenced public research and a proof-of-concept for validation.
Oct 14, 2025
Horizon3 publishes technical analysis and IOCs
Horizon3.ai released technical details for CVE-2025-11371, describing how the LFI could expose Web.config, leak machine keys, and lead to remote code execution. The publication also included indicators of compromise and defensive guidance such as rotating the machineKey after containment.
Oct 13, 2025
Gladinet notifies customers and works on a fix
Gladinet began notifying customers about the actively exploited vulnerability and stated it was working on a solution. This marked the vendor's response while affected versions remained exposed.
Oct 10, 2025
Gladinet and Huntress recommend temporary mitigation
With no vendor fix available, Gladinet and Huntress advised customers to disable the temp handler in the UploadDownloadProxy Web.config file to reduce exposure. The workaround was noted to impair some product functionality but was recommended because exploitation was ongoing.
Oct 10, 2025
Huntress identifies attacks affecting at least three customers
Huntress detected active exploitation of CVE-2025-11371 impacting at least three customer environments. Researchers found the flaw affected Gladinet CentreStack and TrioFox installations and warned that no patch was yet available.
Sep 25, 2025
Active exploitation of CVE-2025-11371 begins
Threat actors began exploiting the Gladinet CentreStack and TrioFox zero-day CVE-2025-11371 in the wild in late September 2025. The unauthenticated local file inclusion flaw could be chained to recover machine keys and enable remote code execution via ViewState deserialization.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
5 more from sources like securityaffairs, the hacker news, bank info security, govinfosecurity and bleeping computer
Related Stories
Active Exploitation of Gladinet CentreStack and Triofox Cryptographic Flaw Enables Remote Code Execution
Attackers are actively exploiting a critical cryptographic vulnerability in Gladinet's CentreStack and Triofox products, which are used for secure remote file access and sharing. The flaw stems from the use of hard-coded cryptographic keys within the `GladCtrl64.dll` component, allowing threat actors to decrypt or forge access tickets and gain unauthorized access to sensitive files, including `web.config`. This access can be leveraged to obtain machine keys and achieve remote code execution via ViewState deserialization. Security researchers from Huntress have observed at least nine organizations targeted by these attacks, with exploitation occurring in the wild and Gladinet issuing advisories and updates to mitigate the risk. The vulnerability is rooted in a custom implementation of the AES algorithm, where static 100-byte strings are used to derive encryption keys and initialization vectors, making them identical across all installations. Attackers can craft malicious requests to the `/storage/filesvr.dn` endpoint, bypassing authentication and impersonating users. Gladinet has provided indicators of compromise (IoCs) and urged customers to update to the latest versions released on November 29. The attacks highlight the risks of insecure cryptographic practices and the importance of timely patching in enterprise environments.
1 months ago
Clop Ransomware Data Extortion Attacks on Gladinet CentreStack and Triofox Servers
The Clop ransomware group has initiated a widespread data extortion campaign targeting Internet-exposed Gladinet CentreStack and Triofox file servers. Attackers are exploiting multiple vulnerabilities, including CVE-2025-11371 (an unauthenticated local file inclusion flaw), CVE-2025-14611 (hardcoded cryptographic keys), and CVE-2025-12480 (a critical remote code execution vulnerability in Triofox). These vulnerabilities allow unauthorized access, file retrieval, and even remote code execution, enabling Clop to steal sensitive corporate data and leave ransom notes on compromised systems. Security researchers and incident responders have observed active exploitation across at least 200 unique IP addresses, with evidence that both zero-day and unpatched n-day vulnerabilities are being leveraged. Gladinet CentreStack and Triofox are widely used by businesses for secure file storage and sharing, making the impact of these attacks potentially significant. The Clop group’s campaign follows their established pattern of targeting file transfer and sharing solutions, having previously compromised platforms such as MOVEit, GoAnywhere, and Oracle EBS. Security updates have been released by Gladinet to address some of the exploited flaws, but the ongoing attacks highlight the importance of timely patching and monitoring of Internet-facing file sharing infrastructure. Technical analysis by VulnCheck and Mandiant has provided detailed insights into the exploitation methods, emphasizing the complexity and sophistication of the attack chain.
1 months ago
Active Exploitation of Triofox Improper Access Control Vulnerability (CVE-2025-12480)
A critical improper access control vulnerability in *Triofox* (CVE-2025-12480, CVSS 9.1) allows attackers to access initial setup pages even after the software has been configured. This flaw, present in versions prior to 16.7.10368.56560, enables unauthenticated users to bypass authentication and access sensitive configuration interfaces. The vulnerability was disclosed and patched by Gladinet, with the update specifically restricting access to these setup pages post-installation. Despite the availability of a patch, threat actors tracked as UNC6485 have been observed actively exploiting this vulnerability since at least August 2025. Attackers leverage the flaw to create new administrative accounts by rerunning the setup process, then use these accounts to upload and execute arbitrary payloads. Notably, the exploitation chain abuses the built-in antivirus feature, allowing attackers to specify a malicious script as the antivirus engine path, which then executes with SYSTEM privileges. This incident marks the third actively exploited Triofox vulnerability in 2025, highlighting ongoing targeting of the platform by sophisticated threat actors.
1 months ago