Introduction: a zero-day chain from LFI to RCE
Gladinet has released security updates for its CentreStack (and hosted equivalents) after researchers observed in-the-wild exploitation of a new bug tracked as CVE-2025-11371. The flaw is an unauthenticated Local File Inclusion (LFI) exposure that lets an attacker read sensitive files such as Web.config. With the machine key extracted from that file, attackers can re-enable remote code execution (RCE) by abusing an earlier ViewState deserialization issue (CVE-2025-30406), effectively bypassing previous mitigations on fully patched systems. Gladinet’s fix is available in CentreStack build 16.10.10408.56683 (released October 14, 2025).
In brief
- What: Unauthenticated LFI (
/storage/t.dn?s=…) leads to disclosure ofWeb.config; machine key enables ViewState deserialization RCE (CVE-2025-30406). - Impact: Confirmed active exploitation since September 27, 2025 against at least three organizations.
- Fix: Update to CentreStack 16.10.10408.56683 (released Oct 14, 2025). Temporary mitigation is to disable the temp download handler that serves
t.dn. - Products: Gladinet CentreStack and Triofox.
Context / history / connections
In April 2025, Gladinet addressed CVE-2025-30406, a hardcoded machineKey issue enabling ViewState deserialization RCE. But on September 27, 2025, Huntress detected an attacker exfiltrating Web.config via a previously unknown LFI (now CVE-2025-11371) on a system newer than the RCE’s fixed range. That LFI let adversaries recover the machine key and re-arm the old deserialization path for RCE—turning the LFI into a practical remote compromise chain.
Technical analysis / details of the vulnerability
- Vulnerable endpoint:
GET /storage/t.dn?s=...handled byGladinetStorage.TempDownload(inGSUploadDownloadProxy.dll). The handler is exposed externally and fails to sanitize path traversal (..\) adequately. - Privilege context: The web service runs as
NT AUTHORITY\SYSTEM, so file reads are relative to the SYSTEM temp directory (e.g.,C:\Windows\Temp\glad_temp\), enabling traversal to arbitrary files (e.g.,..\..\..\Program Files (x86)\Gladinet Cloud Enterprise\root\Web.config). - Observed exploit chain:
- GET request to retrieve
Web.configviat.dn. - Use the exfiltrated machine key to craft a malicious ViewState payload (leveraging CVE-2025-30406) and execute commands.
- Operators wrote command output to disk and re-read it using the same LFI path.
- GET request to retrieve
- Proof-of-concept (partial): Huntress published a one-line PowerShell to fetch
Web.config(they did not release the full RCE chain PoC). - Versions / tracking: CVE-2025-11371 initially affected all versions up to and including 16.7.10368.56560; patch landed Oct 14, 2025 in 16.10.10408.56683.
Practical consequences / risks
- Internet-exposed management portals are at risk of complete system compromise when the LFI is chained to the deserialization vector.
- Credential and key disclosure: Access to
Web.configmay expose machine keys and other secrets, enabling forgery of signed data and pivoting. - Detection evasion: Attackers can use blind command execution and recover output via the same LFI, limiting telemetry to web server logs and application events (e.g., Event ID 1316).
Operational recommendations / what to do next
- Patch immediately to CentreStack 16.10.10408.56683 (or vendor-equivalent for Triofox/managed deployments). Validate version post-upgrade.
- If patching must be staged, apply vendor-endorsed mitigation: disable the temp handler for the UploadDownloadProxy (remove the
t.dnhandler line inUploadDownloadProxy\Web.config). Expect some feature impact. - Hunt for IOCs & access logs:
- Requests to
**/storage/t.dn?s=..\..\..\Program+Files+(x86)\Gladinet+Cloud+Enterprise\root\Web.config&sid=** - Follow-on base64 POST payloads and Event ID 1316 entries; look for command output files subsequently fetched via
t.dn.
- Requests to
- Rotate secrets: After patch/mitigation, rotate the machine key and any other secrets present in
Web.config. (If ViewState MAC was compromised, treat as full integrity loss.) In environments where rotation is complex, consider re-provisioning the portal component. (Inference based on observed attack path.) - Reduce exposure:
- Restrict portal access via VPN, reverse proxy allowlists, or IP-restricted ingress.
- Place WAF rules to block suspicious
t.dnrequests and generic..\traversal. (General hardening guidance.)
- Monitor & alerting: Add detections for ViewState anomalies, unusual child processes of the web server, and reads of
Web.configvia HTTP. (General blue-team practice.) - Validate older fixes: Ensure you are beyond 16.4.10315.56368 (the CVE-2025-30406 fix) so the deserialization vector is not trivially available even without the LFI.
Differences / comparisons with other cases
- This case mirrors other “LFI → secret theft → deserialization RCE” chains where a config secret transforms a medium-score LFI into full RCE (e.g., historical ViewState MAC abuse). The novelty here is the bypass of a prior RCE fix via machine-key recovery, underlining that defense-in-depth—not point patches—prevents re-weaponization.
Summary / key takeaways
- CVE-2025-11371 lets unauthenticated attackers read files (notably
Web.config) from CentreStack/Triofox. - Stolen machine keys enable RCE via the previously fixed CVE-2025-30406, explaining real-world compromises.
- Patch to 16.10.10408.56683 immediately; if you can’t, disable the temp handler and monitor for the IOCs above.
Sources / bibliography
- BleepingComputer — “Gladinet fixes actively exploited zero-day in file-sharing software” (Oct 16, 2025). (BleepingComputer)
- Huntress — “Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371)” (updated Oct 15, 2025). (Huntress)
- BleepingComputer — “Hackers exploiting zero-day in Gladinet file sharing software” (Oct 10, 2025). (BleepingComputer)
- NVD — CVE-2025-11371 and CVE-2025-30406 entries. (NVD)
- SecurityWeek — “Gladinet Patches Exploited CentreStack Vulnerability” (mid-Oct 2025). (SecurityWeek)
