Threat Advisories:
TA585 Leverages ClickFix Technique and MonsterV2 Malware Astaroth Targets Brazil Using GitHub Infrastructure CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild Stealit’s New Trick: Packing Malware Inside Node.js Single Executables Hidden in Plain Sight: The Abuse of Nezha and the Ghost RAT That Followed UTA0388: AI-Powered Targeted Operations Leveraging GOVERSHELL Zimbra Zero-Day Hidden in “Harmless” ICS File Targets Military Service Finder Plugin Flaw Opens Door to Full Site Compromise Redis Under Siege: RediShell Flaw Opens Door to Remote Code Execution CVE-2025-61882: Oracle EBS Zero-Day Actively Exploited in the Wild Water Saci: Brazil’s WhatsApp-Borne Malware Storm Confucius Hackers Spy on Critical Sectors Using AnonDoor FunkLocker: Emerging AI-Assisted Ransomware Olymp Loader: Modular Malware Built for Rapid Exploitation VMware Aria and Tools Vulnerabilities Fixed Amid Ongoing Exploitation DarkCloud Rising: Spear-Phishing Campaign Targets Manufacturing Sector Active Zero-Day Exploitation on Cisco ASA and FTD Devices BRICKSTORM Malware Quietly Builds the Perfect Hideout in US Networks September 2025 Linux Patch Roundup COLDRIVER’s ClickFix Campaign Targets Civil Voices
🎧 Hive Force Labs: October First Threat Research
👥 Play Count: Loading...
Partner Program
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure Platform
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Case Studies
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild

Red | Vulnerability Report
Download PDF

CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild

Summary

A critical unauthenticated Local File Inclusion (LFI) vulnerability, tracked as CVE-2025-11371, has been identified in Gladinet’s CentreStack and Triofox platforms. The flaw, affecting versions up to 16.7.10368.56560, allows remote attackers to read sensitive files such as Web.config without authentication. This exposure enables attackers to retrieve the machine key used for ASP.NET ViewState validation, which can then be chained with CVE-2025-30406—a previously disclosed deserialization vulnerability—to achieve remote code execution (RCE).

Exploitation of this flaw was first detected on September 27, 2025, when a CentreStack instance patched for CVE-2025-30406 was compromised through this new LFI pathway. As of mid-October 2025, the vulnerability remains unpatched publicly, creating an urgent risk for enterprise environments running file-sharing and remote-access deployments of CentreStack and Triofox.

Gladinet has acknowledged awareness of the issue and begun communicating with affected customers, but until an official fix is released, organizations remain vulnerable to chained RCE attacks combining CVE-2025-11371 with CVE-2025-30406.

Vulnerability Details

The CVE-2025-11371 flaw resides in default configurations of Gladinet CentreStack and TrioFox, where attackers can exploit a vulnerable UploadDownloadProxy endpoint to access files on the server. Through this path, they can extract Web.config, a file that contains the ASP.NET machine key. This key is critical for ViewState integrity and validation.

Once obtained, the machine key allows an attacker to forge malicious ViewState payloads that exploit CVE-2025-30406—a related vulnerability stemming from hardcoded cryptographic keys—to escalate the attack from information disclosure to remote code execution.

While the CVSS score (~6.1) reflects a moderate severity based solely on the LFI risk, the real-world impact becomes critical when the flaw is weaponized through chaining. The vulnerability effectively reopens the RCE attack surface even in systems already updated to mitigate CVE-2025-30406.

Vulnerability Metadata:

  • CVE ID: CVE-2025-11371
  • Type: Local File Inclusion (LFI)
  • Affected Products: Gladinet CentreStack and Triofox
  • Versions Affected: All versions prior to and including 16.7.10368.56560
  • CPE:
    • cpe:2.3:a:gladinet:centrestack::::::::
    • cpe:2.3:a:gladinet:triofox::::::::
  • CWE ID: CWE-552 (Files or Directories Accessible to External Parties)
  • Impact: Sensitive data exposure leading to chained Remote Code Execution.

Recommendations

  • Disable the ‘temp’ Handler in Web.config:
    In the UploadDownloadProxy section of Web.config, disable or comment out the line referencing Gladinet.Cloud.Proxy.TempHandler. This blocks unauthenticated file access and prevents exploitation of the vulnerable LFI endpoint.
  • Rotate ASP.NET Machine Keys:
    Immediately regenerate and replace the ASP.NET machine key, even if CVE-2025-30406 patches were applied previously. This action invalidates any forged ViewState payloads an attacker could craft and requires an IIS reset after implementation.
  • Restrict External Access:
    Enforce network segmentation and access control on the CentreStack/TrioFox web services, limiting access to trusted internal networks only. Isolating the UploadDownloadProxy endpoint drastically reduces exploitability.
  • Monitor System Logs:
    Continuously audit logs for unauthorized read attempts to Web.config and inspect for suspicious ViewState requests containing base64-encoded payloads. Early detection of such anomalies may indicate active exploitation attempts.

MITRE ATT&CK TTPs

  • TA0001 – Initial Access: T1190 (Exploit Public-Facing Application)
  • TA0002 – Execution: T1203 (Exploitation for Client Execution), T1059 (Command and Scripting Interpreter)
  • TA0004 – Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
  • TA0006 – Credential Access: T1552, T1552.001 (Credentials in Files / Unsecured Credentials)
  • TA0007 – Discovery: T1083 (File and Directory Discovery)
  • TA0042 – Resource Development: T1588 (Obtain Capabilities), T1588.005 (Exploits), T1588.006 (Vulnerabilities).

References

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox