CVE-2025-11371, a unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and Triofox file-sharing and remote access platforms, is being exploited by attackers in the wild.
While Gladinet is aware of the vulnerability and of its active exploitation, a patch is still in the works. In the meantime, users can and should mitigate the flaw by disabling a handler within their installation’s Web.config file.
“We have observed in-the-wild exploitation of this vulnerability impacting three customers so far,” Huntress researchers warned, and advised organizations using Gladinet’s solutions to implement the mitigation as soon as possible.
CVE-2025-11371 exploited
CentreStack is a file-sharing, sync, and remote access platform aimed at managed service providers and small businesses. Triofox is a secure file-access/gateway solution for medium and large businesses, which allows users to access files without having to use a VPN.
Both solutions can be self-hosted, on-premises or in the organization’s cloud, or hosted in Gladinet’s cloud.
CVE-2025-11371 affects the default installation and configuration of Gladinet CentreStack and TrioFox in the latest available version – 16.7.10368.56560 – as well as all earlier version.
According to Huntress investigators, CVE-2025-11371 allows threat actors to retrieve the machine key from vulnerable applications’ Web.config file and to perform remote code execution via the CVE-2025-30406 ViewState deserialization vulnerability, which was exploited by attackers earlier this year and subsequently patched.
Huntress observed CVE-2025-11371 exploitation on September 26, 2025, on a customer’s CentreStack instance that was running a version later that version 16.4.10315.56368 (i.e., a version with a fix for CVE-2025-30406).
It thus seems that the fix was insufficient, and that attackers can still obtain the machineKey from the IIS Web.config file and use it to forge ASP.NET ViewState payloads that will pass the solution’s integrity checks.
Waiting for a fix
“During our investigation, we saw evidence that Gladinet had engaged with a mutual customer to implement a mitigation,” Huntress researchers noted.
“Huntress reached out to Gladinet shortly after this discovery to disclose the flaw, per our standard vulnerability disclosure policy; Gladinet confirmed that it was aware of the vulnerability and was in the process of notifying customers of an immediate workaround.”
The mitigation for this in-the-wild exploited issue is to remove a specific line within the Web.config file located at C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config.
The line that should be removed (Source: Huntress)
“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” the researchers added.
There are still many unknowns
Huntress has blocked the attack before they could see what further malicious activity the attackers were planning.
In the attacks exploiting CVE-2025-30406 earlier this year, the attackers tried to download a malicious executable file, install a remote access tool, and perform lateral movement.
Help Net Security has reached out to Gladinet for more information about the issue and about the attacks and we will update this article if we hear back from them.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
