Cybersecurity researchers have uncovered an active Gladinet zero-day exploit targeting CentreStack and Triofox file-sharing software. The vulnerability allows unauthenticated attackers to read sensitive system files and execute remote code.
The flaw, tracked as CVE-2025-11371, poses a critical threat to organizations using Gladinet’s enterprise file-access products. Attackers began exploiting the issue in late September 2025, prompting urgent warnings from security analysts.
How the Exploit Works
The vulnerability stems from an unauthenticated local file inclusion (LFI) flaw in both CentreStack and Triofox. It enables attackers to access configuration files on affected systems.
Once they retrieve the machineKey from the Web.config file, they can combine it with a deserialization flaw to achieve remote code execution. This chained attack grants full control over the targeted server.
The exploit requires no user interaction and bypasses authentication entirely. Because of this, attackers can infiltrate systems quickly and remain undetected for long periods.
Impacted Products and Scope
All unpatched versions of CentreStack and Triofox remain vulnerable. The Gladinet zero-day exploit impacts deployments across both cloud and on-premises environments.
These products are popular among enterprises that use them for remote file synchronization, secure sharing, and hybrid cloud integration. As a result, the potential exposure includes sensitive corporate data and network credentials.
Mitigation and Temporary Workarounds
Gladinet has not yet released an official patch for CVE-2025-11371. However, researchers recommend a temporary workaround. Administrators should disable the “temp” handler within the UploadDownloadProxy Web.config file.
This mitigation disrupts exploit activity but may limit certain file-handling features. In addition, organizations should monitor for unusual file access patterns and unexpected configuration changes.
Why the Exploit Is Dangerous
The Gladinet zero-day exploit combines two vulnerabilities—file inclusion and deserialization—to create a powerful attack chain. This allows adversaries to infiltrate networks without leaving obvious traces.
Once inside, attackers can deploy backdoors, move laterally, or steal data before detection occurs. The exploit’s stealth and simplicity make it attractive to both criminal groups and state-backed actors.
Recommended Actions for Defenders
Security teams should immediately apply the temporary mitigation and restrict access to Gladinet systems. Log monitoring should focus on file retrieval attempts from the Web.config path.
Administrators should also isolate vulnerable servers and ensure strong network segmentation. Once a patch becomes available, prompt deployment will be critical to prevent further compromise.
Conclusion
The Gladinet zero-day exploit shows how rapidly attackers weaponize newly discovered vulnerabilities. With public proof-of-concept exploits emerging fast, unpatched systems face immediate risk.
Organizations must act quickly—apply mitigations, strengthen monitoring, and prepare to install official patches once released. In today’s threat landscape, swift response and layered defense remain the best protection against zero-day exploitation.
0 responses to “Gladinet Zero-Day Exploit Hits CentreStack and Triofox Platforms”