Full Report
Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September. [...]
Analysis Summary
# Vulnerability: Active Zero-Day Local File Inclusion Leading to RCE in Gladinet CentreStack
## CVE Details
- CVE ID: CVE-2025-11371 (Local File Inclusion bypass) and CVE-2025-30406 (Deserialization RCE)
- CVSS Score: Not explicitly provided, but the chain leads to Remote Code Execution (RCE). LFI severity is high due to RCE chaining.
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Segment of the Underlying Path) likely applies to CVE-2025-11371.
## Affected Systems
- Products: Gladinet CentreStack business solution
- Versions: Versions prior to 16.10.10408.56683
- Configurations: Relevant to deployments utilizing the affected file-sharing software.
## Vulnerability Description
CVE-2025-11371 is a Local File Inclusion (LFI) vulnerability found in the `_temp-download_` handler, accessible at `/storage/t.dn?s=...`. This flaw stems from a failure to properly sanitize the `s=` parameter, leading to directory traversal. Since the service runs as `NT AUTHORITY\SYSTEM`, successful exploitation allows an attacker to read sensitive local files, specifically the `Web.config` file.
This LFI is critical because the extracted `Web.config` contains the ASP.NET machine key. An attacker can use this key to forge a malicious ViewState payload which then triggers the deserialization vulnerability (CVE-2025-30406) on the server, ultimately leading to Remote Code Execution (RCE).
## Exploitation
- Status: Actively exploited in the wild (Zero-day leveraged since late September).
- Complexity: Low for the initial LFI component, but requires chaining with the prior deserialization flaw for full RCE.
- Attack Vector: Network (Unauthenticated requests observed).
## Impact
- Confidentiality: High (Allows reading sensitive configuration files, including cryptographic keys, and potentially other system files accessible by SYSTEM).
- Integrity: High (Allows RCE via deserialization chain).
- Availability: High (If RCE leads to system compromise or service disruption).
## Remediation
### Patches
- Upgrade to **CentreStack version 16.10.10408.56683** or later.
### Workarounds
- Disable the `temp` handler in the `Web.config` file for the `UploadDownloadProxy` component by removing the line that defines it.
## Detection
- Indicators of compromise: Look for HTTP requests targeting `/storage/t.dn?s=...` that return contents of `Web.config`. Subsequently, look for base64-encoded POST payloads attempting command execution.
- Detection methods and tools: Monitor network traffic for web requests accessing the path `/storage/t.dn`. File integrity monitoring on `Web.config` might reveal unauthorized reads.
## References
- Vendor Advisory (Implied via patch release): centrestack dot com/p/gce_latest_release dot html
- Huntress Disclosure: huntress dot com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw