📅 October 13, 2025 | ⏱ 4 min read | 🔐 Category: Zero-Day Vulnerabilities
Cybersecurity researchers are sounding the alarm about the active exploitation of a zero-day vulnerability in widely used business file-sharing platforms, Gladinet CentreStack and TrioFox. The flaw, tracked as CVE-2025-11371, allows unauthenticated attackers to access sensitive system files and chain the vulnerability with a previously exploited bug to achieve full remote code execution on targeted systems.
With no patch currently available and thousands of businesses across 49 countries potentially exposed, organizations using these platforms face an urgent security crisis that requires immediate mitigation action. The vulnerability demonstrates how attackers are becoming increasingly sophisticated at chaining multiple security flaws to devastating effect, turning moderate-severity bugs into critical remote takeover scenarios.
What Makes This Vulnerability So Dangerous
CVE-2025-11371 is an unauthenticated Local File Inclusion vulnerability affecting all versions of CentreStack and TrioFox up to and including the latest release, 16.7.10368.56560. On its own, the flaw carries a CVSS score of 6.1—classified as medium severity—which might not immediately trigger alarm bells for security teams prioritizing critical patches.
However, the real danger emerges when attackers chain this vulnerability with CVE-2025-30406, a previously disclosed hard-coded machine key vulnerability that enables remote code execution through ViewState deserialization. This combination transforms a file disclosure issue into a complete system compromise scenario.
The attack sequence works like this: First, attackers exploit the Local File Inclusion flaw to retrieve the config file containing the application’s machine key. Armed with this key, they can then leverage the ViewState deserialization vulnerability to execute arbitrary code on the target system, effectively taking control of the file sharing infrastructure.
This vulnerability chaining approach highlights a critical blindspot in how organizations prioritize security updates. Medium-severity vulnerabilities that seem manageable in isolation can become catastrophic when combined with other flaws, especially when attackers understand these relationships better than defenders.
Active Exploitation in the Wild
Managed security provider Huntress first detected active exploitation of CVE-2025-11371 on September 27, 2025, when investigating suspicious activity affecting one of their customers. The initial investigation revealed that threat actors had successfully leveraged the vulnerability to extract machine keys and achieve remote code execution on targeted CentreStack and TrioFox installations.
As of the latest disclosures, at least three organizations have been confirmed as victims of these attacks. However, given the widespread deployment of these platforms across thousands of businesses globally, the actual number of compromised systems may be significantly higher. Many organizations may not yet realize they’ve been breached, particularly if attackers are maintaining persistent access while avoiding detection.
When Huntress contacted Gladinet to report their findings, they discovered the vendor was already aware of the vulnerability and had been working with several victims to contain the damage. This suggests exploitation may have begun even earlier than September 27, with the vulnerability potentially being leveraged as a closely-guarded secret before wider disclosure.
The timing is particularly concerning because CVE-2025-30406, the deserialization vulnerability being chained with this new flaw, was previously exploited in the wild back in March 2025. Attackers have had months to understand and weaponize the ViewState deserialization attack path, making the discovery of a new method to obtain machine keys immediately actionable for sophisticated threat actors.
Understanding the Target: Business File Sharing Platforms
CentreStack and TrioFox serve as enterprise alternatives to consumer cloud storage services, allowing organizations to maintain control over their data while providing modern file sharing and remote access capabilities. CentreStack enables employees to access company files remotely through mapped drives, mobile applications, or web browsers without migrating everything to public cloud platforms like Dropbox or Google Drive.
TrioFox focuses specifically on cloud-enabling existing file servers, providing VPN-less remote access with Active Directory integration, version control, and secure file sharing capabilities. These platforms appeal to organizations with compliance requirements or data sovereignty concerns that prevent wholesale migration to public cloud infrastructure.
The business-critical nature of these platforms makes them particularly attractive targets for cybercriminals. Compromising a file-sharing system provides attackers with potential access to sensitive corporate documents, intellectual property, customer data, and other valuable information that organizations typically store in centralized repositories. The remote access functionality also offers convenient pathways for maintaining persistent presence within target networks.
Immediate Mitigation Required
With no patch currently available from Gladinet, organizations running affected versions must implement workarounds to prevent exploitation. Huntress has published specific mitigation steps that disable the vulnerable functionality, though these measures will impact some platform features.
The recommended mitigation involves modifying the config file for the UploadDownloadProxy component. Administrators need to locate and remove the line defining the temp handler that points to a specific handler that enables the vulnerable Local File Inclusion functionality that attackers exploit.
Removing this configuration line prevents the exploitation path for CVE-2025-11371 by eliminating the mechanism attackers use to access arbitrary system files. However, security researchers caution that implementing this workaround will affect certain platform functionality, creating a difficult tradeoff between security and operational capability.
Organizations must weigh the operational impact of applying mitigations against the very real risk of system compromise through active exploitation. Given that attackers are already leveraging this vulnerability chain in the wild, the security imperative should take precedence over temporary feature limitations until an official patch becomes available.
Broader Implications for Enterprise Security
The Gladinet vulnerability exploitation demonstrates several concerning trends in modern cyber threats. The chaining of multiple vulnerabilities to achieve maximum impact has become standard practice among sophisticated attackers, who maintain extensive knowledge of how different security flaws can be combined for devastating effect.
The reuse of CVE-2025-30406, a vulnerability from March 2025, shows how attackers continue exploiting known flaws long after initial disclosure and patching. When new vulnerabilities emerge that enable access to components required for older attacks—like machine keys in this case—threat actors quickly adapt their toolkits to incorporate these new capabilities.
For organizations using business-critical software like file sharing platforms, this incident reinforces the importance of defense-in-depth strategies that don’t rely solely on vendor patching. Network segmentation, access controls, monitoring for suspicious file access patterns, and regular security assessments can help detect exploitation attempts even when zero-day vulnerabilities exist.
The delay in patch availability also highlights the challenges facing vendors when security flaws are discovered in widely-deployed products. Developing, testing, and distributing fixes for complex business software requires time, leaving customers vulnerable during the gap between disclosure and remediation. This reality makes interim mitigations and workarounds critical components of responsible vulnerability disclosure processes.
What Organizations Should Do Now
CentreStack and TrioFox users should immediately verify whether they’re running vulnerable versions and apply the published mitigation steps without delay. The active exploitation status means this isn’t a theoretical risk—attackers are successfully compromising systems right now, and unprotected installations represent easy targets.
Security teams should also review logs for any signs of suspicious activity, particularly unusual file access patterns or unexpected changes to system configurations. Given that exploitation has been occurring since at least late September, compromised systems may already have persistent backdoors installed that will survive even after patches become available.
Organizations should prepare incident response procedures in case they discover they’ve been compromised, including plans for credential rotation, system restoration from clean backups, and forensic investigation to understand the full scope of any breach. The combination of file access and remote code execution capabilities means attackers could have accessed extensive sensitive data or installed additional malware on compromised systems.
As Gladinet works to develop an official patch, affected organizations must remain vigilant and prioritize the security of their file-sharing infrastructure. The zero-day nature of this vulnerability, combined with active exploitation and vulnerability chaining techniques, creates a perfect storm of risk that demands immediate attention from security teams responsible for protecting business-critical data.
Written by: Logan Elliott
Cyberix
https://www.cyberixsafe.com
