An active in-the-wild exploitation of a zero-day vulnerability in Gladinet CentreStack and Triofox products. Tracked as CVE-2025-11371, the unauthenticated Local File Inclusion (LFI) flaw allows attackers to achieve remote code execution (RCE) on affected systems.
The vulnerability is currently unpatched, but a mitigation has been provided. Organizations using the affected software are strongly urged to apply the workaround immediately to prevent compromise, as Huntress has confirmed attacks against multiple customers.
The flaw represents a significant threat, enabling attackers to bypass a previous security fix and take control of vulnerable servers.
New Attack Bypasses Previous Security Patch
The discovery of this zero-day exploitation followed Huntress analysts’ investigation of an alert on September 27, 2025.
The alert, which flagged suspicious activity on a server running Gladinet CentreStack, was initially believed to be related to a previously disclosed vulnerability, CVE-2025-30406.
That flaw, reported by Huntress in April 2025, involved a hardcoded machine key that could be abused for RCE through a ViewState deserialization attack.
However, the targeted system was running a version that had been patched against CVE-2025-30406. Further analysis revealed a new, sophisticated attack chain.
Threat actors were exploiting the LFI vulnerability, CVE-2025-11371, to read the file and extract the machine key. With this key, they could then leverage the same ViewState deserialization method from the earlier vulnerability to execute arbitrary code.
This technique effectively renders the patch for CVE-2025-30406 insufficient on its own, creating a new path for attackers to achieve the same devastating impact.
Huntress confirmed that this is not a theoretical threat, having observed the exploit used against three of its customers.
The first signs of an attack were detected on September 26, 2025, when an internal monitor alerted the Huntress Security Operations Center (SOC) to an anomalous base64 payload being executed as a child process of a web server.
Upon confirming the threat, the analyst immediately contained the compromised host to prevent further malicious activity.
During its investigation, Huntress discovered that Gladinet had already engaged with a mutual customer to implement a workaround, indicating the vendor was aware of the issue.
Following its standard disclosure policy, Huntress contacted Gladinet, which confirmed its awareness and stated it was in the process of notifying customers about the necessary mitigation. Huntress has also directly informed its own impacted partners of the workaround.
Mitigations
With no official patch yet available and active exploitation confirmed, applying the recommended mitigation is critical for all organizations using CentreStack and Triofox.
According to the guidance, administrators must disable the temp handler within the file for the UploadDownloadProxy. The configuration file is typically located at.
Removing the specified handler line will disrupt some platform functionality, but it effectively closes the attack vector until Gladinet releases a permanent patch.
Given the severity of the RCE vulnerability and the proven ability of threat actors to exploit it, system administrators should treat this mitigation as an urgent priority to protect their environments from takeover.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
