Gladinet patches critical vulnerability exploited in the wild

On October 14, 2025, updates were released for an exploited critical vulnerability affecting Gladinet’s CentreStack and Triofox platforms. Gladinet is a US-based software company specializing in enterprise file sharing, remote access, and cloud enablement solutions.

CentreStack and Triofox are Gladinet’s flagship products, and are widely used by managed service providers and enterprise IT teams to enable secure access to files across hybrid environments.

Tracked as CVE-2025-11371, this local file inclusion flaw has a CVSS score of 9.1, and enables an unauthenticated user to access the Web.config file and retrieve a machine key. The attacker does not need valid credentials or access privileges.

By exploiting this vulnerability to read the Web.config file, the attacker could bypass authentication entirely and gain the cryptographic secret needed to compromise the application. This would undermine the integrity of the entire platform and allow full control over the server, including executing arbitrary code, accessing files, and pivoting to other systems.

In order to achieve remote code execution, threat actors are chaining this flaw with CVE-2025-30406, a ViewState deserialization vulnerability that was patched in April 2025.

Exploitation activity was first observed on September 27, 2025, prior to the update release, making it a zero-day. The threat actor has not been identified, and no attribution has been made to a known group.

Gladinet released mitigation guidance on October 10, 2025, and issued a patch on October 14, 2025. The latest release notes confirm that CVE-2025-11371 has been addressed in the latest build.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Organizations running CentreStack or Triofox are advised to apply the October 14 patch immediately.

For environments where patching is delayed, researchers suggested a mitigation that involves disabling the temp handler in the UploadDownloadProxy Web.config file located at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config. This action blocks access to the machine key and disrupts the attack chain.

Organizations are encouraged to review access logs, validate patch deployment, and implement network segmentation around CentreStack and Triofox deployments. Given the nature of the flaw and confirmed exploitation, systems running affected versions remain at elevated risk until patched.