Cybersecurity firm Huntress has identified active exploitation of an unpatched security vulnerability affecting Gladinet CentreStack and TrioFox products. This zero-day flaw, designated as CVE-2025-11371 with a CVSS score of 6.1, is an unauthenticated local file inclusion (LFI) vulnerability that permits unauthorized access to system files. All software versions up to and including 16.7.10368.56560 are susceptible.
Huntress first detected this malicious activity on September 27, 2025, noting that three of its clients have been impacted to date. The LFI vulnerability enables attackers to retrieve the machine key from the application’s Web.config file. This key can then be exploited to execute remote code via a ViewState deserialization vulnerability. Given the ongoing exploitation and the absence of a patch, specific technical details are being withheld to prevent further abuse.
Previously, both Gladinet CentreStack and TrioFox were affected by CVE-2025-30406, a critical vulnerability with a CVSS score of 9.0. This flaw involved a hard-coded machine key that allowed threat actors to perform remote code execution through a ViewState deserialization vulnerability. This earlier vulnerability has also been actively exploited.
In one case investigated by Huntress, the affected software version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406. This suggests that attackers could exploit earlier versions to obtain the hard-coded machine key and execute remote code via the ViewState deserialization flaw.
To mitigate the risk associated with CVE-2025-11371, users are advised to disable the temp handler within the Web.config file for UploadDownloadProxy, located at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config. While this action may impact some platform functionalities, it will prevent exploitation of the vulnerability until an official patch is released.
