Full Report
Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and
Analysis Summary
# Vulnerability: Local File Inclusion Leading to Remote Code Execution in Gladinet/TrioFox
## CVE Details
- CVE ID: CVE-2025-11371
- CVSS Score: 6.1 (Medium)
- CWE: Local File Inclusion (LFI)
## Affected Systems
- Products: Gladinet CentreStack, TrioFox
- Versions: All versions prior to and including 16.7.10368.56560.
- Configurations: Exploitation chain relies on this LFI flaw to extract the machine key needed for a pre-existing deserialization vulnerability (CVE-2025-30406).
## Vulnerability Description
CVE-2025-11371 is an unauthenticated Local File Inclusion (LFI) vulnerability. Successful exploitation of this LFI flaw allows an attacker to read sensitive system files, specifically the application's `Web.config` file, enabling the retrieval of a hard-coded machine key. This extracted machine key can then be leveraged by an attacker to exploit a separate, high-severity deserialization vulnerability (related to CVE-2025-30406) to achieve Remote Code Execution (RCE).
## Exploitation
- Status: Active exploitation in the wild detected since September 27, 2025.
- Complexity: Low (initial LFI is unauthenticated).
- Attack Vector: Network (Implied, as LFI typically allows remote manipulation of file paths).
## Impact
- Confidentiality: High (Potential for disclosure of sensitive keys and files).
- Integrity: High (RCE grants full system control).
- Availability: High (RCE can lead to system compromise/disruption).
## Remediation
### Patches
- No specific patch version was provided in the context, as details are being withheld due to active exploitation and lack of a patch. Users must await vendor guidance.
### Workarounds
- **Disable the "temp" handler within the `Web.config` file for the UploadDownloadProxy.**
- Location: `C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config`
- Note: This mitigation will impact some functionality of the platform.
## Detection
- **Indicators of Compromise (IOCs):** Attempts to access or retrieve the application's configuration file, specifically looking for the machine key associated with Gladinet/TrioFox installations, potentially followed by traffic indicative of ViewState deserialization abuse.
- **Detection Methods and Tools:** Traditional file integrity monitoring (FIM) on the `Web.config` file, or network/application monitoring looking for unusual requests targeting the UploadDownloadProxy handler.
## References
- Vendor Advisory: Not explicitly mentioned, but research originated from Huntress.
- Relevant Links:
- huntress dot com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
- thehackernews dot com/2025/04/gladinets-triofox-and-centrestack-under dot html (for related CVE-2025-30406)