Oct 10, 2025Ravie LakshmananVulnerability / Zero-Day
Cybersecurity firm Huntress stated it has noticed lively in-the-wild exploitation of an unpatched safety flaw impacting Gladinet CentreStack and TrioFox merchandise.
The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS rating: 6.1), is an unauthenticated native file inclusion bug that permits unintended disclosure of system recordsdata. It impacts all variations of the software program previous to and together with 16.7.10368.56560.
Huntress stated it first detected the exercise on September 27, 2025, uncovering that three of its clients have been impacted to date.
It is price noting that each functions had been beforehand affected by CVE-2025-30406 (CVSS rating: 9.0), a case of hard-coded machine key that would enable a risk actor to carry out distant code execution by way of a ViewState deserialization vulnerability. The vulnerability has since come beneath lively exploitation.
CVE-2025-11371, per Huntress, “allowed a risk actor to retrieve the machine key from the appliance Net.config file to carry out distant code execution by way of the aforementioned ViewState deserialization vulnerability. Further particulars of the flaw are being withheld in mild of lively exploration and within the absence of a patch.
In a single occasion investigated by the corporate, the affected model was newer than 16.4.10315.56368 and never susceptible to CVE-2025-30406, suggesting that attackers may exploit earlier variations and use the hard-coded machine key to execute code remotely by way of the ViewState deserialization flaw.
Within the interim, customers are advisable to disable the “temp” handler inside the Net.config file for UploadDownloadProxy situated at “C:Program Information (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config.”
“It will influence some performance of the platform; nevertheless, it would be sure that this vulnerability can’t be exploited till it’s patched,” Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond stated.
