Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products.
The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560.
Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far.
It's worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation.
CVE-2025-11371, per Huntress, "allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability."
In one instance investigated by the company, the affected version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406, suggesting that attackers are exploiting the new flaw to extract the hard-coded machine key and use it to execute code remotely via the ViewState deserialization flaw.
In the interim, users are recommended to disable the "temp" handler within the Web.config file for UploadDownloadProxy located at "C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config."
"This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched," Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond said.
Huntress told The Hacker News that it has observed a "handful of incidents" that led to a confirmed compromise as a result of CVE-2025-11371. The activity has not been attributed to any threat actor, although the possibility that the two sets of attacks could be the work of the same group has not been ruled out.
"It's unclear if these are the same threat actors, but I wouldn't be surprised since they would have already been familiar with this particular piece of software and they could have found this new vulnerability with minimal effort," Jamie Levy, director of adversary tactics at Huntress, said.
More Details of the Flaw Emerge
Gladinet, on October 14, 2025, released version 16.10.10408.56683 of CentreStack and Triofox, which includes a fix for CVE-2025-11371, making it crucial that users apply the latest fixes as soon as possible.
In an updated report, Huntress said it observed an "unusual GET request" to the unauthenticated "/storage/t.dn" endpoint that prompted the server to respond with a copy of the Web.config file from the "C:\Program Files (x86)\Gladinet Cloud Enterprise\root\Web.config" location. The entire HTTP request is as follows -
GET /storage/t.dn s=..\..\..\Program+Files+(x86)\Gladinet+Cloud+Enterprise\root\Web.config&sid=1
The request to the endpoint is handled by the "GladinetStorage.TempDownload" function located in a DLL named "GSUploadDownloadProxy.dll," which is designed to retrieve files from the temp directory for authenticated users.
This, in turn, is a case of a local file inclusion (LFI) vulnerability, which occurs when a web application includes a file from the server based on poorly validated user input, allowing an attacker to read or execute local files on the server.
"Because Gladinet Cloud Enterprise is running as the NT AUTHORITY\SYSTEM user account, the user's temporary directory will generally be present at C:\Windows\Temp," Huntress explained. "This means that including directory traversal characters ..\ will allow the application to retrieve any file relative to C:\Windows\Temp\glad_temp. So for example retrieving the file ..\..\explorer.exe would retrieve the file from C:\Windows\explorer.exe."
As a result of this issue, an attacker can read the contents of the Web.config file, including the machine key required to carry out a deserialization attack and ultimately achieve remote code execution. In the attack detected by Huntress, the threat actors have been found to run reconnaissance commands (e.g., ipconfig /all) passed in the form of a Base64-encoded payload.
The intrusion was ultimately foiled as the infected system was contained before it could progress to the next stage. Users are advised to update to the latest version, or, as previously mentioned, disable the temp handler to thwart exploitation efforts.
(The story was updated after publication to include a response from Huntress. It was updated again on October 16, 2025, to include details about the flaw and the availability of fixes.)
