Gladinet fixes actively exploited zero-day (CVE-2025-11371) in CentreStack / Triofox

Introduction: what happened

Gladinet has released security updates for its CentreStack file-sharing platform (and Triofox) to fix an actively exploited local file inclusion (LFI) vulnerability tracked as CVE-2025-11371. Attackers were abusing this flaw in the wild to read Web.config, recover the ASP.NET machine key, and then chain to a previously known deserialization/RCE flaw (CVE-2025-30406) for full compromise. A patched CentreStack build 16.10.10408.56683 is now available.

In brief

• Vuln: Unauthenticated LFI in the /storage/t.dn “temp-download” handler (parameter s=…) lets an attacker traverse directories and read files as NT AUTHORITY\SYSTEM.
• Exploit chain: Read Web.config → extract machineKey → craft malicious ViewState → RCE via CVE-2025-30406.
• Status: Patch available; admins should upgrade immediately.
• Scope/affected: CentreStack/Triofox builds up to at least 16.7.10368.56560 vulnerable by default configuration.

Context, history, and timeline

• Apr 2025: CVE-2025-30406 (hardcoded/known machine key → ViewState deserialization → RCE) is publicly documented and added to KEV; exploitation observed.
• Oct 9, 2025: Huntress discloses in-the-wild exploitation of a new LFI (CVE-2025-11371) that bypasses prior mitigations by enabling retrieval of Web.config.
• Oct 14–16, 2025: Gladinet makes build 16.10.10408.56683 available with a fix; reporting confirms patch availability.
• Oct 16, 2025: SANS “At-Risk” summarizes the issue for defenders.

Technical analysis: how CVE-2025-11371 leads to RCE

1. Entry point: GET /storage/t.dn?s=../../../../Windows/… (examples vary). The handler insufficiently sanitizes s and resolves paths relative to the temp folder as SYSTEM, enabling directory traversal to arbitrary files accessible to that account.
2. Secret theft: Read Web.config to obtain the ASP.NET machineKey used for ViewState signing.
3. RCE chain: With the key, an attacker crafts a signed malicious ViewState, exploiting CVE-2025-30406 to deserialize attacker-controlled objects and execute commands on the server. Telemetry observed base64-encoded POSTs immediately after the t.dn reads.
4. Affected versions: Default installations ≤ 16.7.10368.56560 were vulnerable; exploitation in the wild confirmed by Huntress and reflected in NVD.

Practical consequences and risk

• Impact: Full server compromise (code execution as the web worker), data theft from mapped back-ends, credential exposure, and lateral movement to file servers/AD.
• Exposure profile: Internet-facing CentreStack/Triofox portals are most at risk; multiple organizations were reported compromised before the patch.
• Detection artifacts:
  • Unusual GET /storage/t.dn?… returning Web.config.
  • Subsequent ViewState-heavy POSTs with base64 payloads; suspicious child processes from the IIS worker.

What to do now: operations & hardening checklist

1. Patch immediately: Upgrade CentreStack to 16.10.10408.56683 or later (use the vendor installer/upgrade flow).
2. If you cannot patch right away: Disable the temp handler for UploadDownloadProxy by removing the handler line from Web.config as a temporary mitigation.
3. Hunt for compromise (post-exploitation):
   • Review web logs for GET /storage/t.dn with traversal in s= and 200 responses.
   • Inspect IIS logs for large/base64 POSTs to the portal, odd cmd.exe/powershell.exe children of w3wp.exe.
   • Rotate machine keys and other secrets if Web.config access is suspected.
4. Reduce attack surface: Restrict portal exposure (VPN/zero-trust), enforce MFA for admin, least privilege on the host, and keep the product on the latest train noted by the vendor.
5. Validation tooling: Consider running an external validation to confirm exposure/mitigation (several vendors published safe checks for CVE-2025-11371).

Differences / comparison with earlier CentreStack issues

• CVE-2025-30406 (Apr 2025) relied on known/hardcoded machine keys in default configs.
• CVE-2025-11371 (Oct 2025) is an LFI that steals your instance-specific machineKey, letting attackers revive the old ViewState RCE chain even if you previously mitigated 30406—hence the urgency to patch both and rotate keys.

Summary / key takeaways

• A new LFI (CVE-2025-11371) has been actively exploited to recover machineKey and achieve RCE via CVE-2025-30406.
• Upgrading to 16.10.10408.56683+ is the fastest, safest fix; a config-based handler removal can mitigate in the interim.
• Hunt for /storage/t.dn access and ViewState abuse patterns; rotate keys if compromise is suspected.

Sources / bibliography

• BleepingComputer — Gladinet fixes actively exploited zero-day in file-sharing software (Oct 16, 2025). (BleepingComputer)
• Huntress — Active Exploitation of Gladinet CentreStack and Triofox (CVE-2025-11371) (Oct 2025). (Huntress)
• NVD — CVE-2025-11371 (impact and affected versions). (NVD)
• CentreStack — Latest downloads (shows 16.10.10408.56683 availability). (access.centrestack.com)
• SANS At-Risk Newsletter — summary for defenders (Oct 16, 2025). (SANS Institute)