Unauthenticated LFI in Gladinet CentreStack and Triofox Enables RCE

Published Date: October 13, 2025
Category: ShadowOpsIntel
Share:

Huntress researchers identified active exploitation of a new zero-day flaw in Gladinet CentreStack and Triofox products. This flaw enables attackers to access the application’s Web.config file, extract a machine key, and chain it with a previous deserialization flaw to achieve remote code execution (RCE). The issue remains unpatched, but a mitigation is available that organizations should apply immediately.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2025-11371
  • Type: Unauthenticated Local File Inclusion (LFI)
  • Affected Products: Gladinet CentreStack and Triofox
  • Potential Consequences:
    • Remote code execution
    • Data exfiltration and lateral movement
    • Compromise of managed file-sharing infrastructure
  • Threat Outlook: Given the presence of an LFI-RCE chain and absence of a patch, this flaw is highly exploitable. Attackers could weaponize it in ransomware delivery or supply-chain attacks, targeting MSPs, cloud storage providers, and enterprise file gateways.

Exploitation

  • Initial Access: The attacker targets the vulnerable endpoint in UploadDownloadProxy, leveraging the LFI flaw to read sensitive files (e.g., Web.config).
  • Data Exfiltration: The attacker extracts the machine key used for ViewState validation.
  • Privilege Escalation: Using the key, the attacker crafts and signs a malicious ViewState payload.
  • Remote Code Execution: When the server deserializes the tampered ViewState object, attacker-controlled code executes under the web application’s privileges.
  • Post-Exploitation: Observed payloads include Base64-encoded commands executed as child processes of the IIS web server.
  • In-the-Wild Exploitation: Confirmed in at least three organizations prior to public disclosure.

Recommendations

  1. Mitigation: Disable the temp handler within C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config
    This prevents exploitation until patch is applied. But this may affect some upload/download functionality.
  2. Monitor vendor advisories and apply patches once released by Gladinet & Triofox.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert