Gladinet CentreStack and Triofox have come under active attack as threat actors exploit an unauthenticated local file inclusion flaw (CVE-2025-11371).
The flaw lets attackers read sensitive files without logging in. Once they grab the machine key, they can trigger a view state deserialization bug to run code on the server. There is no official patch yet, so administrators must apply the available workaround immediately.
| CVE Identifier | Vulnerability Type | Affected Products | CVSS 3.1 Score |
|---|---|---|---|
| CVE-2025-11371 | Local File Inclusion | CentreStack, Triofox | 9.1 |
Zero-Day Exploitation Detected in the Wild
On September 27, 2025, Huntress’s security operations center spotted successful exploitation attempts against CentreStack instances.
The affected systems were running versions later than 16.4.10315.56368, which no longer suffer from the earlier CVE-2025-30406 deserialization flaw.
Deeper analysis revealed a fresh local file inclusion hole allowing threat actors to fetch the Web.config file and extract the machine key. With this key, attackers re-used the old view state deserialization method to deploy remote code execution.
Huntress observers confirmed at least three customers saw in-the-wild abuse. Detection relied on spotting unusual base64 payloads spawned under web server processes.
Once detected, analysts isolated affected hosts to stop further compromise. A timeline of these events pinpoints the first successful attack at 20:48:37 UTC on September 26, 2025.
Mitigation Steps to Prevent Exploitation
Until a patch is released, vulnerable organizations should apply an immediate workaround.
Administrators must disable the temp handler entry in the UploadDownloadProxy Web.config file, which prevents the flaw from being triggered:
C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.configRemoving the highlighted temp handler line cuts off access to the t.dn endpoint.
This change may affect some file upload or download functions, but it is critical to block active attacks. After disabling the handler, restart the web service to ensure the change takes effect.
Gladinet has acknowledged the vulnerability and is working on customer notifications for this workaround.
Huntress reached out under its standard disclosure policy, received confirmation, and shared mitigation advice with impacted clients. A formal patch is expected soon.
Below is a proof-of-concept snippet that demonstrates how an attacker fetches the Web.config file via the LFI flaw:
GET /UploadDownloadProxy/temp?file=../../Web.config HTTP/1.1
Host: vulnerable-centrestack.example.com
User-Agent: Mozilla/5.0
Accept: */*
Connection: closeAfter retrieving Web.config, the attacker decodes the view state key and crafts a malicious POST:
BASE64_ENCODED_DESERIALIZED_PAYLOAD
This payload triggers remote code execution under the web server context. Administrators are urged to monitor logs for such POST requests and base64-like data within viewStateBlob parameters until the permanent fix is available.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
