Urgent: Active Attacks Target Unpatched Gladinet Flaw (CVE-2025-11371)
▼ Summary
– CVE-2025-11371 is an unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and Triofox platforms being actively exploited by attackers.
– A patch is not yet available, but users can mitigate the flaw by disabling a specific handler in their Web.config file.
– The vulnerability allows attackers to remotely access any file on the file system without authentication and execute remote code.
– Both CentreStack and Triofox are affected in the latest version 16.7.10368.56560 and all earlier versions.
– Huntress observed exploitation on September 27, 2025, and recommends immediate implementation of the mitigation until a patch is released.
A critical security vulnerability designated as CVE-2025-11371 is currently under active exploitation, posing a severe risk to organizations using Gladinet’s CentreStack and Triofox platforms. This unauthenticated Local File Inclusion flaw enables attackers to remotely access any file on the system without needing login credentials. Although Gladinet is developing an official patch, a temporary mitigation is available and should be implemented immediately to protect vulnerable installations.
Security researchers at Huntress have confirmed that malicious actors are actively leveraging this vulnerability in real-world attacks. They reported observing exploitation impacting multiple customers, urging all users of the affected file-sharing and remote access solutions to apply the recommended workaround without delay. The flaw impacts the default installation and configuration of the latest Gladinet CentreStack and Triofox version, 16.7.10368.56560, as well as all earlier releases.
CentreStack serves as a file-sharing, synchronization, and remote access platform primarily for managed service providers and small businesses. Triofox functions as a secure file-access and gateway solution tailored for medium to large enterprises, allowing file access without requiring a VPN. Both products can be deployed on-premises, within an organization’s own cloud infrastructure, or hosted through Gladinet’s cloud services.
Huntress first detected exploitation of CVE-2025-11371 on September 27, 2025, targeting a customer’s CentreStack instance. This particular instance was running a version newer than 16.4.10315.56368, which had previously been patched against CVE-2025-30406, a separate ViewState deserialization vulnerability that was also exploited earlier.
According to Huntress investigators, this vulnerability allows threat actors to retrieve the machine key from the application’s Web.config file. With this key, attackers can forge ASP.NET ViewState payloads that bypass the platform’s integrity checks. This manipulation triggers unsafe server-side deserialization, ultimately leading to remote code execution on the compromised system.
Jamie Levy, Huntress’s Director of Adversary Tactics, emphasized the severity of the situation, noting that attackers can remotely access any file on the file system without authentication due to this vulnerability. The company’s investigation revealed that Gladinet had already engaged with at least one mutual customer to implement protective measures before Huntress formally disclosed the flaw.
Huntress followed its standard vulnerability disclosure policy by notifying Gladinet about the security issue. Gladinet confirmed awareness of the vulnerability and stated they were in the process of informing customers about an immediate workaround. The recommended mitigation involves modifying the Web.config file located at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config by removing a specific handler line.
Security experts caution that while this mitigation will temporarily impact some platform functionality, it effectively prevents exploitation until a permanent patch becomes available. The urgency of implementing this workaround cannot be overstated given the active exploitation occurring in the wild.
Huntress successfully blocked the observed attacks before investigators could determine what additional malicious activities the attackers planned to execute. In previous attacks exploiting CVE-2025-30406 earlier this year, threat actors attempted to download malicious executables, install remote access tools, and perform lateral movement within compromised networks.
The cybersecurity community continues to monitor the situation as many aspects of these attacks remain unknown. Help Net Security has contacted Gladinet for additional information regarding the vulnerability and ongoing attacks, promising to provide updates as new information becomes available.
This article was updated on October 10, 2025, to provide clearer details about the exploitation process based on additional information from Huntress’s Director of Adversary Tactics. Organizations relying on affected Gladinet products should prioritize implementing the temporary mitigation while awaiting a comprehensive security patch.
(Source: HelpNet Security)
