Unauthenticated LFI in Gladinet CentreStack and Triofox Enables RCE

Published Date: October 13, 2025
Category: ShadowOpsIntel
Share:

Huntress researchers identified active exploitation of a new zero-day flaw in Gladinet CentreStack and Triofox products. This flaw enables attackers to access the application’s Web.config file, extract a machine key, and chain it with a previous deserialization flaw to achieve remote code execution (RCE). The issue remains unpatched, but a mitigation is available that organizations should apply immediately.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2025-11371
  • Type: Unauthenticated Local File Inclusion (LFI)
  • Affected Products: Gladinet CentreStack and Triofox
  • Potential Consequences:
    • Remote code execution
    • Data exfiltration and lateral movement
    • Compromise of managed file-sharing infrastructure
  • Threat Outlook: Given the presence of an LFI-RCE chain and absence of a patch, this flaw is highly exploitable. Attackers could weaponize it in ransomware delivery or supply-chain attacks, targeting MSPs, cloud storage providers, and enterprise file gateways.

Exploitation

  • Initial Access: The attacker targets the vulnerable endpoint in UploadDownloadProxy, leveraging the LFI flaw to read sensitive files (e.g., Web.config).
  • Data Exfiltration: The attacker extracts the machine key used for ViewState validation.
  • Privilege Escalation: Using the key, the attacker crafts and signs a malicious ViewState payload.
  • Remote Code Execution: When the server deserializes the tampered ViewState object, attacker-controlled code executes under the web application’s privileges.
  • Post-Exploitation: Observed payloads include Base64-encoded commands executed as child processes of the IIS web server.
  • In-the-Wild Exploitation: Confirmed in at least three organizations prior to public disclosure.

Recommendations

  1. Mitigation: Disable the temp handler within C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config
    This prevents exploitation until patch is applied. But this may affect some upload/download functionality.
  2. Monitor vendor advisories and apply patches once released by Gladinet & Triofox.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.