Cybersecurity firm Huntress has issued a critical security warning after detecting active exploitation of a zero-day vulnerability affecting Gladinet CentreStack and TrioFox—two widely used enterprise file-sharing and remote access platforms.
The security flaw, tracked as CVE-2025-11371, has been assigned a CVSS severity score of 6.1 and currently remains unpatched, putting thousands of businesses at risk of data exposure and remote code execution (RCE) attacks.
CVE-2025-11371 is an unauthenticated Local File Inclusion (LFI) vulnerability found in both Gladinet CentreStack and TrioFox. This means attackers can exploit the flaw without needing login credentials, making it especially dangerous. The bug allows unauthorized access to sensitive system files stored on the affected server.
According to Huntress, this vulnerability impacts all versions released before and including 16.7.10368.56560 of both software products.
What makes this threat even more serious is that attackers can abuse the LFI flaw to access the Web.config file and extract the machine key. With this machine key, they can chain the attack with another known vulnerability to achieve full remote code execution (RCE) on the victim’s system.
Just months earlier, both TrioFox and Gladinet were found to be vulnerable to another serious flaw—CVE-2025-30406, a hard-coded machine key vulnerability with a CVSS score of 9.0. That bug allowed attackers to execute code remotely by abusing ViewState deserialization in ASP.NET applications.
Although Gladinet released an update to address CVE-2025-30406, this newly discovered CVE-2025-11371 zero-day effectively bypasses previous security fixes. Huntress explained that attackers can use the new LFI bug to retrieve the same machine key that was previously hard-coded, allowing them to reactivate RCE attacks using the ViewState deserialization flaw.
Huntress reports that it has already observed real-world exploitation of this flaw starting on September 27, 2025. So far, at least three Huntress customers have been affected, confirming that threat actors are actively scanning for and exploiting vulnerable Gladinet and TrioFox servers.
Because these platforms are often used by IT service providers, enterprises, and cloud storage vendors to manage secure file sharing, the potential attack surface is large. Successful exploitation may allow attackers to:
Gain unauthorized access
Execute malicious scripts
Install ransomware
Steal corporate data
Hijack servers
Move laterally across networks
Huntress has withheld full exploit details due to the severity of the threat and the absence of an official vendor patch. The researchers stated that revealing full proof-of-concept (PoC) details would only help attackers escalate attacks.
So far, Gladinet has not released a security patch, and it is unclear when a fix will be available. This leaves system administrators with limited defense options for now.
Until a vendor patch is available, Huntress strongly recommends applying a temporary workaround to reduce exposure.
Locate the following file:C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config
Disable the temp handler inside the Web.config file.
This blocks the attack vector used in exploit attempts. However, Huntress warns that some platform functionality may break temporarily, but security should be prioritized until a patch is released.
Expert Warning from Huntress Security Team
In their advisory, Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond emphasized:
“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched.”
They also advised organizations to:
Monitor logs for suspicious file access requests
Check for unauthorized access to
Web.configReview server activity for potential ViewState exploitation
Harden ASP.NET settings to disable ViewState MAC if not required
Restrict external access to Gladinet/TrioFox servers
Enable endpoint detection and response (EDR) monitoring
This incident shows how attack chains can turn a medium-severity bug into a high-impact breach. Although CVE-2025-11371 is originally classified as an LFI vulnerability, attackers have weaponized it to achieve full remote code execution, making it as dangerous as any critical RCE vulnerability.
Security analysts fear that ransomware groups may soon adopt this exploit, especially given their frequent targeting of remote access and file management solutions used by IT service providers.
If your organization uses Gladinet CentreStack or TrioFox, take action NOW:
Apply the Web.config temp handler workaround
Restrict external access to the UploadDownloadProxy directory
Monitor servers for suspicious ViewState requests
Audit for unauthorized file access
Prepare for incident response if compromise is suspected
Follow Huntress updates for patch releases
Interesting Article : Meteobridge Security Flaw CVE-2025-4008 Under Active Attack, Patch Now
Pingback: Oracle E-Business Suite Bug CVE-2025-61884 Allows Data Theft Without Login