Gladinet patches critical zero-day flaw in file-sharing software
▼ Summary
– Gladinet released security updates for CentreStack to patch a local file inclusion vulnerability (CVE-2025-11371) exploited as a zero-day since late September.
– The vulnerability allowed attackers to read the Web.config file, extract the machine key, and exploit a separate deserialization flaw (CVE-2025-30406) for remote code execution.
– The root cause was a sanitization failure in the temp-download handler, enabling directory traversal to access files accessible by the SYSTEM account.
– Huntress disclosed the exploitation and provided technical details, including a proof-of-concept for CVE-2025-11371 but not the full exploit chain.
– Administrators should upgrade to CentreStack version 16.10.10408.56683 or disable the temp handler in Web.config as a mitigation.
Gladinet has issued a crucial security update for its CentreStack business file-sharing platform to resolve a serious zero-day vulnerability that malicious actors have actively exploited since late September. This local file inclusion flaw, tracked as CVE-2025-11371, allowed attackers to bypass existing protections and achieve remote code execution on affected systems.
Cybersecurity specialists at Huntress uncovered the exploitation campaign, noting that the vulnerability effectively circumvented mitigations Gladinet had previously put in place for an earlier deserialization issue known as CVE-2025-30406. By leveraging the local file inclusion weakness, attackers could access the Web.config file on fully updated CentreStack installations, extract the machine key, and then weaponize it to exploit the deserialization vulnerability.
Once Huntress notified Gladinet about the active zero-day attacks, the company promptly provided customers with temporary protective measures while developing a permanent patch. The security fix is now integrated into CentreStack version 16.10.10408.56683, and administrators are strongly urged to apply this update without delay.
Huntress has since released additional technical specifics regarding CVE-2025-11371, including a minimal proof-of-concept demonstration. The vulnerability stems from inadequate input sanitization in the temp-download handler, accessible via the /storage/t.dn endpoint. This handler accepts an ‘s=’ parameter that permits directory traversal, enabling unauthorized file access.
Because the service operates under the NT AUTHORITY\SYSTEM account and resolves files relative to the temporary folder, attackers can read any file accessible to the SYSTEM account. This includes the Web.config file, which houses the ASP.NET machine key. With this key in hand, threat actors can craft a malicious ViewState payload. When deserialized by the server due to CVE-2025-30406, this leads directly to remote code execution.
During their investigation, Huntress observed real-world attacks where HTTP requests to ‘/storage/t.dn?s=…’ successfully retrieved Web.config files. These were followed by base64-encoded POST payloads that executed commands on targeted systems. The researchers shared a one-line PowerShell Invoke-WebRequest example demonstrating how an unauthenticated request could retrieve the Web.config file, though they deliberately withheld the complete exploit chain involving the earlier deserialization vulnerability.
For organizations unable to immediately install the new version, an effective workaround involves disabling the temp handler within the Web.config file for the UploadDownloadProxy component. This is accomplished by removing the specific line that defines the handler, effectively neutralizing the attack vector until the permanent update can be applied.
(Source: Bleeping Computer)
