Criminals have been spotted exploiting a new zero-day vulnerability in Gladinet CentreStack and Triofox file sharing servers that could allow them to re-create the conditions of an earlier flaw patched in April, security company Huntress has warned.
Normally, organizations patch a flaw and assume they’re done until the next issue arises. In the case of CVE-2025-11371, an unauthenticated local file inclusion vulnerability, things are likely to be more complicated.
Huntress discovered CVE-2025-11371 on September 27 when a detector in the company’s managed security operations center (SOC) issued an alert for the successful exploitation of CentreStack in a customer’s software.
At first, the engineers assumed this was connected to a previous zero-day in the same software that the company publicized in April, a ViewState deserialization vulnerability allowing remote code execution (RCE), tracked as CVE-2025-30406.
However, engineers discovered that the targeted customer was running a version of CentreStack patched against that vulnerability. Further analysis revealed that the latest detection was a completely new vulnerability that had been used against three of Huntress’s customers.
Tale of two flaws
The underlying problem revealed by April’s CVE-2025-30406 was that CentreStack and Triofox relied on a hardcoded machineKey. A prerequisite for exploiting this flaw was that the attackers had to discover this machineKey, made easier because every installation used the same one.
A patch updated this so that every new installation generated its own key, leaving admins to manually cycle existing keys.
How does this relate to CVE-2025-11371? As Huntress explained, the new flaw “allowed a threat actor to retrieve the machineKey from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability [CVE-2025-30406].”
In other words, by exploiting the new flaw attackers can get their hands on the necessary machineKey, including ones that were changed as part of the CVE-2025-30406 fix.
So, CVE-2025-11371, while different from CVE-2025-30406, could be used as a roundabout way to re-enable a key part of what made April’s flaw dangerous.
What to do
All versions of CentreStack and Triofox file sharing servers up to and including 16.7.10368.56560 are vulnerable to CVE-2025-11371.
The bad news is that Gladinet has yet to issue a patch for this, which means that for the time being the best customers can do is to apply the recommended mitigation.
Luckily, according to Huntress, it’s fairly simple: disable the temp handler within the Web.config file for UploadDownloadProxy located at:
C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config
“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” said Huntress.
Gladinet seems to have discovered the flaw independently of Huntress via a mutual customer and is notifying other customers of the mitigation.
The flaw’s discovery reinforces that good SOC controls can often pick up exploits even when the flaw being exploited is unknown. In this case, it was “an irregular base64 payload being executed as a child of a web server process,” said the Huntress alert.
“Don’t assume that being ‘fully patched’ means being secure,” Huntress director of adversary tactics, Jamie Levy, told CSO Oline.
“The new Gladinet local file inclusion flaw shows how post-patch regressions can reintroduce critical risk paths. When in doubt, isolate or disable vulnerable handlers immediately, even at the cost of some functionality, to close exploit windows until the vendor releases a validated patch,” he said.
File sharing and file transfer systems are now a regular target for attackers looking to steal data for extortion, recent examples of which include a vulnerability in Fortra’s GoAnywhere MFT software, and the 2023 attack affecting 2,600 organizations using the MOVEit file transfer service.
No Responses