Zero-Day Attack Hits Gladinet File Sharing Software
▼ Summary
– A zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox allows unauthenticated local attackers to access system files.
– This Local File Inclusion flaw affects all versions of the products and has been exploited by threat actors to achieve remote code execution.
– Attackers combine this vulnerability with an older deserialization bug (CVE-2025-30406) to extract machine keys and execute code remotely.
– No patch is currently available, but customers can apply a mitigation by disabling the temp handler in the Web.config file.
– The mitigation prevents exploitation but will impact some platform functionality, according to researchers at Huntress.
A newly identified zero-day vulnerability is actively being exploited in Gladinet’s CentreStack and Triofox file-sharing platforms, posing a serious risk to business data security. Identified as CVE-2025-11371, this Local File Inclusion (LFI) flaw enables attackers without authentication to access sensitive system files. So far, at least three organizations have been targeted. While a permanent software patch is still in development, immediate mitigation steps are available to protect affected systems.
Both CentreStack and Triofox are widely used enterprise solutions that enable companies to leverage their own storage infrastructure for cloud-based file sharing and remote access. Gladinet reports that CentreStack alone serves thousands of businesses across more than 49 countries.
All versions of the software are currently vulnerable, including the most recent release, version 16.7.10368.56560. Security researchers from Huntress first detected active exploitation on September 27, when a threat actor successfully used the LFI flaw to obtain a machine key and achieve remote code execution.
Further investigation showed that attackers used the LFI vulnerability to read the Web.config file and extract the machine key. This allowed them to chain the attack with a previously known deserialization vulnerability, CVE-2025-30406, and execute remote code via ViewState. This same deserialization flaw was exploited in the wild back in March, due to a hardcoded machine key that, if known, permits remote code execution on compromised systems.
Huntress stated, “After subsequent analysis, we discovered exploitation of an unauthenticated local file inclusion vulnerability that allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the ViewState deserialization vulnerability.”
Upon discovery, Huntress promptly notified Gladinet. The vendor confirmed awareness of the issue and is currently informing customers about an available workaround until a full patch is released.
To defend against CVE-2025-11371, the researchers recommend a specific configuration change. Administrators should disable the temp handler in the Web.config file for the UploadDownloadProxy component, located at “C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config”. The specific line defining the temp handler, which points to t.dn, must be located and removed.
Removing this line disables the vulnerable functionality that attackers use to perform Local File Inclusion, effectively blocking exploitation of the vulnerability. Huntress cautions that applying this mitigation will affect some platform functionality, but it ensures the security flaw can no longer be leveraged by malicious actors.
(Source: Bleeping Computer)
