Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371)

Glitch effectGlitch effectGlitch effect

TL;DR: Huntress has discovered in-the-wild exploitation of an unauthenticated Local File Inclusion flaw (CVE-2025-11371) in Gladinet CentreStack and Triofox products. While there is not yet a patch for the vulnerability, a mitigation is available that impacted organizations should implement as soon as possible.


Background

In April 2025, Huntress published its findings on the exploitation of CVE-2025-30406, a critical-severity flaw in Gladinet CentreStack and Triofox products. 

On September 27, 2025, the Huntress SOC received an alert from an internal detector for successful exploitation of Gladinet CentreStack software. However, the version of the software running was later than 16.4.10315.56368, which was no longer vulnerable to CVE-2025-30406. In earlier versions of CentreStack and Triofox vulnerable to CVE-2025-30406, a hardcoded machine key would allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability.

After subsequent analysis, Huntress discovered exploitation of an unauthenticated local file inclusion vulnerability (CVE-2025-11371) that allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability.

During our investigation, we saw evidence that Gladinet had engaged with a mutual customer to implement a mitigation. Huntress reached out to Gladinet shortly after this discovery to disclose the flaw, per our standard vulnerability disclosure policy; Gladinet confirmed that it was aware of the vulnerability and was in the process of notifying customers of an immediate workaround. 

Huntress has also notified its own impacted customers of the workaround. We have observed in-the-wild exploitation of this vulnerability impacting three customers so far. Because the flaw has not yet been patched in the latest versions of CentreStack and Triofox and due to active exploitation of the flaw, vulnerable organizations should apply the mitigation outlined below.


Huntress observations

At 2025-09-26 20:48:37 UTC, the Huntress SOC responded to an internal detector written to detect post-exploitative activity for CVE-2025-30406. As soon as the threat was confirmed, the analyst contained the host, preventing further malicious activity. The detection was based around an irregular base64 payload being executed as a child of a web server process.


Figure 1: Detection timeline for observed exploitation activity

Further details of the observed exploitation activity, vulnerability analysis, and more will be published after a patch has been released.


Mitigation guidance / What should I do?

We recommend disabling the temp handler within the Web.config file for UploadDownloadProxy located at:

C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config

This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched. 


Figure 2: A visual of the temp handler pointing to t.dn, which can be disabled as a mitigation


Removing the line highlighted above will mitigate the vulnerability present until such time as a patch can be applied.





Share

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy
Oops! Something went wrong while submitting the form.
Huntress at work