Full Report
Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication. [...]
Analysis Summary
# Vulnerability: Zero-Day LFI in Gladinet CentreStack/Triofox Leading to RCE
## CVE Details
- CVE ID: CVE-2025-11371 (Primary LFI vulnerability)
- CVSS Score: N/A (Score not provided in the article)
- CWE: Local File Inclusion (LFI)
## Affected Systems
- Products: Gladinet CentreStack and Gladinet Triofox
- Versions: All versions, including the latest release (16.7.10368.56560).
- Configurations: Default installation and configuration.
## Vulnerability Description
CVE-2025-11371 is a Local File Inclusion (LFI) vulnerability present in Gladinet CentreStack and Triofox products. This flaw allows a *local attacker* to read system files, specifically the `Web.config` file, to extract the system's hardcoded machine key. Once the machine key is obtained, the attacker can chain this LFI with a known, older deserialization vulnerability (CVE-2025-30406) involving **ViewState** to achieve **Remote Code Execution (RCE)** on the affected system.
## Exploitation
- Status: Exploited in the wild (At least three companies targeted; Huntress detected exploitation).
- Complexity: Medium (Requires LFI to steal a key, then requires knowledge of the secondary deserialization flaw, CVE-2025-30406).
- Attack Vector: Local (Initial LFI requires local access, though RCE is achieved remotely afterward using the stolen key).
## Impact
- Confidentiality: High (Allows reading sensitive configuration files and potentially unauthorized access).
- Integrity: High (Leads to Remote Code Execution).
- Availability: High (RCE can lead to system compromise/disruption).
## Remediation
### Patches
- **Patches are not yet available** from the vendor at the time of the advisory.
### Workarounds
Customers must manually modify the `Web.config` file associated with the `UploadDownloadProxy` component to disable the vulnerable handler:
1. Navigate to: `C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config`
2. Locate and **remove the line** that defines the `temp handler` which points to `t.dn`.
**Note:** The vendor warns that applying this mitigation **will impact some functionality** of the platform.
## Detection
- **Indicators of Compromise:** Look for evidence of the machine key being read from `Web.config` or known exploitation patterns related to CVE-2025-30406 (ViewState deserialization) occurring after an LFI access attempt.
- **Detection Methods and Tools:** Monitoring file access patterns for the `Web.config` file in the specified application path is crucial for detection prior to mitigation.
## References
- Vendor Advisory: Gladinet confirmed vendor awareness and is notifying customers.
- Research: Huntress blog regarding Gladinet CentreStack/Triofox Local File Inclusion Flaw.