An unauthenticated local file inclusion vulnerability tracked as CVE-2025-11371 in Gladinet CentreStack and Triofox file‑sharing and remote access platforms is being exploited in the wild, security researchers said, and Gladinet is working on a patch while providing an interim mitigation.
The flaw affects default installations and configurations of CentreStack and Triofox in the latest available version, 16.7.10368.56560, and all earlier versions, the researchers reported. Both products can be self‑hosted on premises or in a cloud environment, or hosted in Gladinet’s cloud.
According to Huntress investigators, CVE-2025-11371 allows attackers to retrieve the machineKey from an application’s Web.config file and then perform remote code execution by abusing a ViewState deserialization vulnerability (CVE-2025-30406) that was exploited earlier this year and subsequently patched.
Huntress said it observed exploitation on Sept. 26, 2025, against a CentreStack instance running a version later than 16.4.10315.56368, indicating the prior fix for CVE-2025-30406 was insufficient because attackers could still obtain the machineKey and forge ViewState payloads that pass integrity checks. Huntress also said it has seen the issue impact three customers so far.
As an immediate mitigation, operators were advised to remove a specific handler line from the Web.config file at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config; Huntress warned this may affect some platform functionality but will prevent exploitation until a patch is released. Huntress said it reached out to Gladinet and that Gladinet confirmed awareness and was notifying customers of the workaround.
Huntress reported it blocked the attack before seeing further malicious activity. In earlier attacks that abused the ViewState issue, attackers attempted to download a malicious executable, install a remote access tool and perform lateral movement.