Security research firm Huntress is warning all users of Gladinet’s CentreStack and Triofox file-sharing tools to urgently apply an available mitigation, as a zero-day is being actively exploited and there’s no patch available.
Tracked as CVE-2025-11371 (severity 6.2), the local file inclusion vulnerability is the second bug that Huntress has found in Gladinet’s software this year.
The researchers spotted exploit activity on September 27, even on machines that were patched against CVE-2025-30406 (9.8) – the critical remote code execution (RCE) vulnerability the team found in April.
Huntress said it has seen at least three Gladinet customers attacked using CVE-2025-11371 so far, and the vendor was aware of the issue before it got in touch, having worked directly with customers to develop a mitigation solution.
Details about how to apply the temporary workaround can be found through Huntress’ blog, or from the emails Gladinet should have sent to customers explaining the same.
CentreStack and Triofox are both B2B software products that focus on secure, VPN-free, remote file access.
The former is pitched at managed service providers so that they can offer their own-brand remote access and file-sharing solution to clients, while Triofox is marketed more toward single enterprises.
CentreStack’s website states that it is trusted by more than 1,000 IT solution providers and enterprises, and lists globally recognized brands among them.
Triofox lists similar clients but does not indicate a number of customers, although it says the product is designed for industries such as healthcare, engineering, and legal.
Huntress said that, if exploited successfully, CVE-2025-11371 could allow an attacker to retrieve the machine key from either CentreStack or Triofox’s web.config file to then exploit CVE-2025-30406 for RCE.
- Zero-day lets nation-state spies cross-examine elite US law firm Williams & Connolly
- Google pushes emergency patch for Chrome 0-day – check your browser version now
- Clop crew hits Oracle E-Business Suite users with fresh zero-day
- Enterprise tech dominates zero-day exploits with no signs of slowdown
File sharing and remote access software are commonly targeted by financially motivated cybercriminals, such as ransomware and extortion gangs.
Having access to an organization’s sensitive data, or multiple organizations in cases where an MSP is targeted, can lead to data being stolen and used as leverage to negotiate a ransom payment.
Fortra recently had to scramble to patch a perfect-10 bug in its GoAnywhere MFT product, a couple of years after ransomware giants LockBit and BlackBasta targeted it with an earlier vulnerability.
Cl0p’s attack on Progress’ MOVEit in 2023 is another infamous example of how financially motivated criminals target file-sharing solutions in pursuit of mega paydays.
Exploiting one bug in MOVEit allowed Cl0p to access data on thousands of organizations, going down as one of the great supply chain attacks in recent history. ®
