Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication.

At least three companies have been targeted so far. Although a patch is not yet available, customers can apply mitigations.

CentreStack and Triofox are Gladinet’s business solutions for file sharing and remote access that allow using a company’s own storage as a cloud. According to the vendor, CentreStack “is used by thousands of businesses from over 49 countries.”

No fix, all versions affected

The zero-day vulnerability CVE-2025-11371 is a Local File Inclusion (LFI) flaw affecting the default installation and configuration of both products, impacting all versions  including the latest release, 16.7.10368.56560.

Researchers at managed cybersecurity platform Huntress detected the security issue on September 27 when a threat actor successfully exploited it to obtain a machine key and execute code remotely.

A closer analysis revealed that the issue was an LFI leveraged to read the Web.config and extract the machine key. This allowed the attacker to use an older deserialization vulnerability (CVE-2025-30406) and achieve remote code execution (RCE) through ViewState.

The CVE-2025-30406 deserialization bug in CentreStack and Triofox was also exploited in the wild in March, and was due to a hardcoded machine key. An attacker knowing the key could perform RCE on an affected system.

“After subsequent analysis, Huntress discovered exploitation of an unauthenticated local file inclusion vulnerability (CVE-2025-11371) that allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability” – Huntress

Huntress contacted Gladinet to let them know the finding.  The vendor confirmed that it was aware of the vulnerability and said that it was in the process of notifying customers of a workaround until a patch is available.

The researchers shared the mitigation with the targeted customer and published the following recommendations to protect against CVE-2025-11371:

1. Disable the temp handler in the Web.config file for the UploadDownloadProxy component at “C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config”
2. Locate and remove the line that defines the temp handler — it points to t.dn

This line enables the vulnerable functionality that attackers exploit via Local File Inclusion, so removing it prevents exploitation of CVE-2025-11371.

The researchers warn that the mitigations “will impact some functionality of the platform,” but make sure that the vulnerability cannot be exploited.