Security researchers have confirmed active exploitation of a zero-day vulnerability in Gladinet CentreStack and Triofox file-sharing products that allows unauthenticated actors to read system files and escalate that capability to remote code execution. The flaw, tracked as CVE-2025-11371, is a local file inclusion (LFI) issue affecting default installations and configurations of both products; researchers warned that no official patch is yet available and recommended immediate mitigations to prevent further compromise.
The vulnerability was observed in the wild on September 27, 2025, when a threat actor leveraged the LFI to retrieve the application’s machine key from the Web.config file. That machine key enabled the attacker to forge ASP.NET ViewState payloads and trigger unsafe deserialization that leads to remote code execution — effectively chaining CVE-2025-11371 to an earlier ViewState deserialization weakness that has been abused before. Investigators report at least three confirmed customer impacts so far and stressed that all versions through 16.7.10368.56560 are vulnerable.
“Attackers are able to access any file on the file system remotely without authentication as a result of CVE-2025-11371.” — Huntress researchers
Exploitation Timeline and Technical Chain: LFI to Machine Key Theft to Remote Code Execution
Researchers monitoring CentreStack and Triofox activity say the initial intrusion pattern begins with remote requests that exploit the unauthenticated Local File Inclusion flaw in order to read server-side files. The primary objective observed in early incidents was exfiltration of the ASP.NET machine key stored in the Web.config file. With that key, adversaries can craft ViewState blobs that pass integrity checks and trigger unsafe server-side deserialization, producing remote code execution on the host.
Huntress investigators first detected successful exploitation on September 27 and correlated the activity to subsequent attempts to execute commands via the deserialization vector. Analysts noted the technique reuses prior knowledge of CentreStack’s ViewState handling and an earlier vulnerability that had been patched in some older versions; the new LFI effectively re-opens the same dangerous attack path even on builds that had addressed the older flaw.
The NVD entry for CVE-2025-11371 indicates the vulnerability impacts default installations and configurations and lists the affected product versions as all releases prior to and including 16.7.10368.56560. Multiple security outlets report that attackers have used the flaw to retrieve arbitrary files, obtain the machine key, and then deliver follow-on payloads. Investigators caution that the contextual information contained in configuration and snapshot files may also be leveraged for lateral movement, credential harvesting and targeted follow-on attacks against connected infrastructure.
Affected deployments include both on-premises and cloud-hosted CentreStack and Triofox instances. Because the products are commonly used to expose file shares and remote access for managed service providers and enterprises, exposure of backups, credentials and configuration metadata increases enterprise risk and could allow attackers to pivot to internal resources or disrupt business-critical storage.
Immediate Mitigations, Detection Steps and Long-Term Remediation Advice for Administrators
Gladinet and incident responders have not yet released a vendor patch to fully address CVE-2025-11371. In the interim, Huntress and other responders have published a mitigation that administrators should apply without delay: disable the vulnerable handler referenced in the Web.config file that permits unauthenticated file inclusion. In addition to that immediate measure, security teams are being advised to take the following actions:
• Isolate internet-facing CentreStack/Triofox instances from public access and restrict management interfaces to known administrative IP ranges.
• Apply the Web.config mitigation recommended by incident responders and confirm the handler is disabled across all instances.
• Rotate any machine keys or cryptographic secrets where possible, and remove hard-coded keys from configuration files to prevent reuse.
• Review web server and application logs for suspicious LFI patterns, unexpected file reads of Web.config or machineKey, and abnormal ViewState payloads. Look specifically for requests attempting to retrieve files from paths under the application root.
• Hunt for signs of deserialization attempts, unexpected msiexec or PowerShell activity, and new or altered scheduled tasks and services that could indicate post-exploitation activity.
• Treat any unauthorized file read as a potential full compromise; engage incident response partners and consider taking affected servers offline for forensic preservation if exploitation is suspected.
• Ensure backups and snapshots are retained offline and validate restoration processes to guard against destructive follow-on actions.
Because the LFI can be chained to a ViewState deserialization exploit, defenders should also search for evidence that attackers used the machine key to craft forged ViewState data. Where feasible, application teams should remove or rotate machine keys and adopt secure ViewState handling patterns that use per-deployment keys and server-side validation.
Investigators further recommend applying Web Application Firewall (WAF) rules to block LFI exploitation patterns, enabling strict allow-listing for administrative interfaces, and increasing telemetry collection from CentreStack/Triofox endpoints to improve detection of anomalous access and data exfiltration attempts.
Operational Impact, Risk Assessment and Next Steps for Organizations
The active exploitation of CVE-2025-11371 presents an elevated risk to organizations that host CentreStack or Triofox, particularly those exposing instances directly to the internet. Confidential file stores, archived backups and authentication secrets contained in configuration files are attractive targets; attack consequences could include data exfiltration, integrity loss, lateral movement into critical networks, or full server takeover via remote code execution.
Because no patch is yet available, defenders must prioritize mitigations and monitoring while coordinating with Gladinet for official updates. Managed service providers and enterprises with multiple deployments should treat the situation as urgent: perform an inventory of CentreStack and Triofox instances, apply the recommended Web.config mitigation uniformly, and immediately investigate any anomalies in file access or ViewState handling.
Incident responders are sharing indicators of compromise and detection rules with CERTs and platform providers to accelerate community defenses. Organizations that discover evidence of exploitation should follow established incident-response procedures, notify stakeholders, and consider legal or regulatory reporting obligations depending on the sensitivity of exposed data.
The discovery and public disclosure of CVE-2025-11371 reinforce a recurring theme in enterprise security: configuration and default-setup weaknesses can permit critical escalation even in otherwise maintained products. Administrators must move quickly to implement mitigations and treat any CentreStack/Triofox deployment as potentially at risk until a vendor patch is issued and validated.
