Huntress has sounded the alarm over active exploitation of a newly discovered Local File Inclusion (LFI) in Gladinet CentreStack and Triofox software, tracked as CVE-2025-11371 (CVSS 6.1). The , which allows unauthenticated attackers to retrieve sensitive files from vulnerable systems, has already been exploited in the wild, and no patch is currently available.
“Huntress has discovered in-the-wild exploitation of an unauthenticated Local File Inclusion (CVE-2025-11371) in Gladinet CentreStack and Triofox products,” the company revealed. “While there is not yet a patch for the , a mitigation is available that impacted organizations should implement as soon as possible.”
This latest incident builds on Huntress’ earlier findings from April 2025, when the company published research into CVE-2025-30406, a critical vulnerability in the same Gladinet product line. That earlier flaw stemmed from a hardcoded machine key that allowed attackers to execute remote code via a ViewState deserialization vulnerability.
However, Huntress’ recent telemetry showed new exploitation attempts targeting updated versions of the software that were no longer vulnerable to CVE-2025-30406. This prompted deeper investigation.
“On September 27, 2025, the Huntress SOC received an alert from an internal detector for successful exploitation of Gladinet CentreStack software. However, the version of the software running was later than 16.4.10315.56368, which was no longer vulnerable to CVE-2025-30406,” the researchers explained.
Their analysis uncovered that attackers had pivoted to exploit a previously unknown Local File Inclusion vulnerability, now cataloged as CVE-2025-11371. This LFI allowed attackers to retrieve the Web.config file, extract the machine key, and chain it with the old ViewState deserialization exploit to achieve remote code execution (RCE).
The attack begins by exploiting the LFI flaw to read arbitrary files from the vulnerable system. Using this, threat actors can retrieve the machine key embedded within the application’s Web.config file.
With the key in hand, they can generate valid serialized payloads for the ViewState mechanism, effectively bypassing authentication and executing arbitrary commands on the target server.
“After subsequent analysis, Huntress discovered exploitation of an unauthenticated local file inclusion vulnerability (CVE-2025-11371) that allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability,” Huntress reported.
Huntress’ Operations Center (SOC) first detected signs of this exploitation on September 26, 2025, through an internal detection rule designed to identify post-exploit activity from CVE-2025-30406.
The team observed a base64-encoded payload being executed as a child process of a web server — a hallmark of post-exploitation behavior following ViewState deserialization.
While Huntress has confirmed exploitation in three customer environments so far, they warn that additional attacks are likely, given the ease of exploitation and the public disclosure of prior in the same software.
As no official patch is yet available from Gladinet, Huntress urges administrators to apply an immediate mitigation to block exploitation. The company recommends disabling the temp handler within the Web.config file of the UploadDownloadProxy component:
C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.configAdministrators should locate the handler definition pointing to t.dn and remove the highlighted line.
“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” Huntress advised.
- Critical Vulnerabilities: CISA Alerts to Windows CLFS and Gladinet CentreStack Threats
- A Security Engineer’s Mistake Led to a Ransomware Breach
- 90k+ Users at Risk: Unauthenticated LFI Vulnerability Affects Porto Theme
- CVE-2025-46619: LFI Vulnerability Affects Multiple Versions of Couchbase Server for Windows
- Urgent Zero-Day Warning: SonicWall VPNs Under Attack, Akira Ransomware Deployed Within Hours
