Exploited Zero-Day: Critical Gladinet/Triofox Flaw CVE-2025-11371 Allows RCE via LFI

Analysts at Huntress have detected active exploitation attempts targeting a newly discovered vulnerability in CentreStack and TrioFox products by Gladinet. Tracked as CVE-2025-11371, the flaw is classified as a Local File Inclusion (LFI) vulnerability that may allow unauthorized access to system files. The issue affects all versions up to and including 16.7.10368.56560, and as of now, no official patch has been released.

Malicious activity was first observed on September 27, when researchers identified attack traces across three client environments. In one documented case, attackers successfully exploited the vulnerability in a newer software version that was not affected by the previous critical flaw, CVE-2025-30406. This suggests that adversaries may be leveraging the new vulnerability to extract a hardcoded key from configuration files and to execute remote code via the ViewState serialization flaw, which has been abused in prior attack campaigns.

CVE-2025-11371 enables access to the Web.config file and the extraction of the machine key, which—when chained with the earlier vulnerability—could lead to a complete system compromise. Although the two flaws operate through different mechanisms, they are potentially interlinked, and their sequential exploitation allows arbitrary code execution on the server without authentication.

The identity of the attackers remains unknown, but Huntress notes the strong likelihood that the same threat actors who previously exploited CVE-2025-30406 are behind these attacks, given the methodological similarities and the minimal effort required to discover a related flaw within familiar software.

Pending an official fix, Huntress recommends a temporary mitigation: disable the “temp” handler in the Web.config file located at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config.
While this measure may limit certain system functionalities, it will effectively block exploitation through this vector.

Although only a handful of successful breaches have been confirmed, the existence of an unpatched vulnerability and ongoing attacker activity underscore the urgent need for immediate defensive action. Given the history of prior incidents involving CentreStack and TrioFox, the current exposure serves as a critical reminder of the importance of swift response and thorough configuration audits across affected infrastructures.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy