MUST READ

CVE-2025-11371: Unpatched zero-day in Gladinet CentreStack, Triofox under attack

 | 

Cybercrime ring GXC Team dismantled in Spain, 25-year-old leader detained

 | 

Attackers exploit valid logins in SonicWall SSL VPN compromise

 | 

Apple doubles maximum bug bounty to $2M for zero-click RCEs

 | 

Juniper patched nine critical flaws in Junos Space

 | 

Ukraine sees surge in AI-Powered cyberattacks by Russia-linked Threat Actors

 | 

U.S. CISA adds Grafana flaw to its Known Exploited Vulnerabilities catalog

 | 

RondoDox Botnet targets 56 flaws across 30+ device types worldwide

 | 

ClayRat campaign uses Telegram and phishing sites to distribute Android spyware

 | 

CVE-2025-5947: WordPress Plugin flaw lets hackers access Admin accounts

 | 

Threat actors steal firewall configs, impacting all SonicWall Cloud Backup users

 | 

Discord denies massive breach, confirms limited exposure of 70K ID photos

 | 

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

CVE-2025-11371: Unpatched zero-day in Gladinet CentreStack, Triofox under attack

Pierluigi Paganini October 11, 2025

Threat actors are exploiting a zero-day, tracked as CVE-2025-11371 in Gladinet CentreStack and Triofox products.

Threat actors are exploiting the local File Inclusion (LFI) flaw CVE-2025-11371, a zero-day in Gladinet CentreStack and Triofox. A local user can exploit the issue to access system files without authentication.

Gladinet CentreStack and Triofox are enterprise file-sharing and cloud storage solutions designed for businesses:

  • CentreStack: Provides a secure platform for file sharing, syncing, and collaboration, integrating on-premises storage with cloud access. It allows companies to offer cloud-like access to internal file servers while maintaining control over data.
  • Triofox: Offers a hybrid cloud solution that enables secure remote access to existing Windows file shares and SMB/NFS storage. It includes features like file versioning, synchronization, and web/mobile access, without moving data from the company’s servers.

Both are used to manage corporate files securely while supporting remote work and collaboration.

Experts are aware of the existence of mitigations, but warn that the issue has yet to be patched.

“In earlier versions of CentreStack and Triofox vulnerable to CVE-2025-30406, a hardcoded machine key would allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability.” reads the report published by Huntress. “After subsequent analysis, Huntress discovered exploitation of an unauthenticated local file inclusion vulnerability (CVE-2025-11371) that allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability.”

Gladinet and Huntress have alerted customers to a workaround for the actively exploited CVE-2025-11371 flaw. The cybersecurity firm reported that at least three customers have been targeted so far.

The company recommends disabling the temp handler in UploadDownloadProxy’s Web.config to block exploitation of the vulnerability, though some platform functionality will be affected.

Gladinet CentreStack and Triofox
A visual of the temp handler pointing to t.dn, which can be disabled as a mitigation (Source Huntress)

“Removing the line highlighted above will mitigate the vulnerability present until such time as a patch can be applied.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gladinet)

Gladinet Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News zero-Day

you might also like

Pierluigi Paganini October 11, 2025
Attackers exploit valid logins in SonicWall SSL VPN compromise
Read more
Pierluigi Paganini October 10, 2025
Apple doubles maximum bug bounty to $2M for zero-click RCEs
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

CVE-2025-11371: Unpatched zero-day in Gladinet CentreStack, Triofox under attack

Hacking / October 11, 2025

Cybercrime ring GXC Team dismantled in Spain, 25-year-old leader detained

Uncategorized / October 11, 2025

Attackers exploit valid logins in SonicWall SSL VPN compromise

Hacking / October 11, 2025

Apple doubles maximum bug bounty to $2M for zero-click RCEs

Security / October 10, 2025

Juniper patched nine critical flaws in Junos Space

Security / October 10, 2025