CVE-2025-11371

Gladinet CentreStack / Triofox Local File Inclusion (LFI) | 0-Day Active Exploitation

CVE-2025-11371 is an unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox that allows an attacker to access arbitrary files on the host system. An attacker can utilize this to obtain the instance’s machine key and forge signed data to achieve remote code execution. As of October 10, 2025, CVE-2025-11371 has no patch available, and there is evidence of active exploitation in the wild.

Technical Details

  • The root issue is an unauthenticated LFI that allows arbitrary file reads from the web application.
  • Retrieving the instance’s machine key enables attackers to craft valid ViewState payloads that deserialize on the server and achieve remote code execution.
  • Huntress has observed in-the-wild exploitation. 

NodeZero® Offensive Security Platform — Rapid Response

The Gladinet CentreStack Rapid Response test (CVE-2025-11371) released October 14, 2025, enables customers to safely verify whether CentreStack instances are exploitable to the LFI flaw (and therefore susceptible to full compromise) and to confirm mitigation.

  • Run the Rapid Response test — run the Gladinet CentreStack — CVE-2025-11371 Rapid Response test from the customer portal to scan internet-facing and internal portal endpoints for the LFI exposure and RCE risk.
  • Mitigate immediately — as there is no patch available, follow the recommended immediate workarounds to eliminate risk. Disable the temp handler in UploadDownloadProxy\Web.config.
    • Note: Removing it blocks exploitation but does affect functionality.
  • Rotate machineKey and patch related flaws — if you discover Web.config disclosure or signs of exploitation, contain affected hosts, rotate the machineKey (following vendor guidance for clustered deployments).
  • Re-run the Rapid Response test — after mitigations, re-run the Gladinet CentreStack Rapid Response test to confirm the LFI path is no longer exploitable.

If the Rapid Response test confirms exploitability, collect forensic artifacts (web logs showing Web.config retrieval, process trees showing suspicious child processes from w3wp.exe, and the original malicious requests), isolate affected systems, and open an incident with your IR team.

Indicators of Compromise (IOCs) — hunting guidance

IndicatorTypeDescription / detection tips
GET or POST requests targeting UploadDownloadProxy temp pathsNetwork / WebUnexpected requests to UploadDownloadProxy or t.dn temp handler files — look for directory traversal patterns (e.g., . . /) or responses containing Web.config content. 
Disclosure of Web.config contentsFile / BehaviorLogs, web responses, or saved request captures containing machineKey or other sensitive config material.
Suspicious ViewState payloadsBehaviorLarge/anomalous base64 ViewState values or ViewState values resulting in unexpected child processes under the web app (e.g., w3wp.exe spawning shells). Use existing detection rules for CVE-2025-30406-style deserialization activity.
Unexpected child process / command execution from web processHostw3wp.exe or equivalent web worker spawning shell processes or unusual binaries — correlate with web logs and exploit timeline.
Anomalous outbound traffic / C2 indicatorsNetworkPost-exploit callbacks, data exfiltration to unknown hosts, or unusual egress following web requests. 

Find and fix exploitable CentreStack instances with Rapid Response

Run the Test Now

Affected Versions & Patch

  • CVE-2025-11371 (LFI): all versions from 16.4.10315.56368 and prior are affected. No current patch available.

Recommended actions (summary)

  1. Inventory & scope — identify all web portal instances (internet-facing and internal admin portals).
  2. If exploitable, apply workaround: remove / disable the temp handler in the UploadDownloadProxy located at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config. This will affect functionality but mitigate exploitability risk. 
  3. Contain & investigate — isolate affected hosts, collect web logs and process trees, check for Web.config disclosure and suspicious ViewState payloads.
  4. Rotate machineKey only after containment and patching — coordinate rotation across clustered nodes per vendor guidance. Disclosure of the machineKey invalidates ViewState protections.
  5. Patch — apply Gladinet vendor updates when published and re-run Rapid Response tests to confirm remediation.

References

🔗 Huntress

🔗 The Hacker News

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By