Zero-Day Alert: Attackers Exploit New Flaw to Bypass CentreStack RCE Patch

by ddos · October 20, 2025

Gladinet has released a security update for its enterprise CentreStack solution that remedies a local file inclusion (LFI) vulnerability, CVE-2025-11371 (CVSS 6.2). Attackers have been actively exploiting this flaw as a zero-day since late September to bypass mitigations put in place for an earlier, more severe vulnerability—CVE-2025-30406 (CVSS 9.8)—which involved deserialization and remote code execution.

The weakness stemmed from the temporary upload handler at /storage/t.dn, which accepted an s= parameter vulnerable to directory-traversal. Insufficient input sanitization allowed an adversary to read any file accessible to the NT AUTHORITY\SYSTEM account—including Web.config. That file contains the machine key, enabling an attacker to craft a forged ViewState and chain into CVE-2025-30406 to execute arbitrary code on the server.

Huntress observed real-world exploitation: initial GET requests to /storage/t.dn?s=... retrieved Web.config, followed by POST requests carrying payloads that invoked command execution. Published examples in PowerShell demonstrate that an unauthenticated request can return the Web.config contents.

The patch addressing CVE-2025-11371 is included in CentreStack 16.10.10408.56683; administrators are urged to apply this update promptly. Where patching is not immediately feasible, a temporary mitigation is to disable the vulnerable handler by removing its definition from Web.config for the UploadDownloadProxy component.

Although Huntress published a proof-of-concept exploit, the full exploitation chain—particularly the specifics of leveraging CVE-2025-30406—has not been fully disclosed. The vendor reports that, after notification from Huntress, temporary safeguards were issued and subsequently superseded by a comprehensive fix. Security teams should continue monitoring activity and review access logs for requests to /storage/t.dn.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal