Attackers are actively exploiting a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox file-sharing and remote access platforms. This vulnerability is an unauthenticated local file inclusion (LFI) flaw that allows threat actors to access sensitive system files, including the application’s Web.config file. By retrieving the machine key from this configuration file, attackers can leverage a previously patched vulnerability, CVE-2025-30406, to achieve remote code execution (RCE) through ViewState deserialization attacks. Huntress, a cybersecurity firm, first detected exploitation of this flaw on September 26-27, 2025, and has confirmed that at least three customers have been impacted so far. The vulnerability affects all versions of CentreStack and TrioFox up to and including 16.7.10368.56560, and there is currently no official patch available from Gladinet. Both self-hosted and cloud-hosted deployments of these platforms are at risk, as the flaw impacts default installations and configurations. The exploitation chain involves using the LFI to extract the machine key, which is then used to craft malicious ViewState payloads that bypass integrity checks and enable arbitrary code execution on the server. Notably, Huntress observed successful exploitation even on systems that had already patched CVE-2025-30406, indicating that the previous fix was insufficient to fully mitigate the risk. In response, Huntress and other security experts recommend disabling the "temp" handler within the UploadDownloadProxy Web.config file as an immediate mitigation, though this may impact some platform functionality. Gladinet has acknowledged the vulnerability and its active exploitation but has not yet released a patch, urging customers to implement the recommended mitigations. The affected products are widely used by managed service providers, small businesses, and enterprises for secure file access and sharing, increasing the potential impact of this vulnerability. Attackers exploiting this flaw can gain full control over affected servers, leading to data theft, lateral movement, or further compromise of organizational networks. Security researchers are withholding some technical details to prevent further exploitation while a patch is developed. Organizations using CentreStack or TrioFox should urgently review their configurations and apply the recommended mitigations to reduce exposure. The incident highlights the risks associated with chained vulnerabilities and the importance of defense-in-depth strategies. Ongoing monitoring and threat detection are advised until a permanent fix is available. The situation remains fluid, with active exploitation continuing and the vendor working on a security update.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
By the time the fix was reported, proof-of-concept exploit details for CVE-2025-11371 had been published publicly. This raised the likelihood of broader opportunistic attacks against unpatched or unmitigated systems.
Gladinet released CentreStack version 16.10.10408.56683 to address the actively exploited zero-day. Organizations unable to upgrade were still advised to use the temp-handler mitigation.
A ProjectDiscovery GitHub pull request was opened to add a Nuclei template for detecting CVE-2025-11371 in Gladinet CentreStack and TrioFox. The submission referenced public research and a proof-of-concept for validation.
Horizon3.ai released technical details for CVE-2025-11371, describing how the LFI could expose Web.config, leak machine keys, and lead to remote code execution. The publication also included indicators of compromise and defensive guidance such as rotating the machineKey after containment.
Gladinet began notifying customers about the actively exploited vulnerability and stated it was working on a solution. This marked the vendor's response while affected versions remained exposed.
With no vendor fix available, Gladinet and Huntress advised customers to disable the temp handler in the UploadDownloadProxy Web.config file to reduce exposure. The workaround was noted to impair some product functionality but was recommended because exploitation was ongoing.
Huntress detected active exploitation of CVE-2025-11371 impacting at least three customer environments. Researchers found the flaw affected Gladinet CentreStack and TrioFox installations and warned that no patch was yet available.
Threat actors began exploiting the Gladinet CentreStack and TrioFox zero-day CVE-2025-11371 in the wild in late September 2025. The unauthenticated local file inclusion flaw could be chained to recover machine keys and enable remote code execution via ViewState deserialization.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcegithub.com
Open sourcebleepingcomputer.com
Open sourcehorizon3.ai
Open sourcebankinfosecurity.com
Open sourcegovinfosecurity.com
Open sourcebleepingcomputer.com
Open sourcehelpnetsecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.