CVE-2025-11371 Overview
CVE-2025-11371 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting the default installation and configuration of Gladinet CentreStack and TrioFox file sharing and collaboration platforms. This vulnerability allows remote attackers to access and disclose sensitive system files without requiring any authentication, potentially exposing configuration data, credentials, and other critical information stored on affected systems.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, requiring immediate attention from organizations using affected Gladinet products.
Affected Products
- Gladinet CentreStack - All versions prior to and including 16.7.10368.56560
- Gladinet TrioFox - All versions prior to and including 16.7.10368.56560
Discovery Timeline
- October 9, 2025 - CVE-2025-11371 published to NVD
- November 5, 2025 - Last updated in NVD database
Technical Details for CVE-2025-11371
Vulnerability Analysis
This Local File Inclusion vulnerability exists in the default installation and configuration of Gladinet CentreStack and TrioFox enterprise file sharing solutions. The flaw allows unauthenticated remote attackers to include and read arbitrary local files from the server's file system. Because no authentication is required to exploit this vulnerability, any network-accessible instance is at risk.
The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties), indicating that the affected software improperly exposes file system resources to unauthorized users. Successful exploitation enables attackers to read sensitive system files, potentially including configuration files containing database credentials, API keys, encryption keys, or other sensitive information that could facilitate further attacks against the organization.
Active exploitation of this vulnerability has been observed in the wild, prompting CISA to add CVE-2025-11371 to its Known Exploited Vulnerabilities catalog. Organizations should treat this as an urgent priority for remediation.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and access controls within the file handling mechanisms of Gladinet CentreStack and TrioFox. The default installation fails to properly sanitize user-supplied file path parameters, allowing attackers to traverse directory structures and access files outside the intended web root or application directory. This lack of proper path validation enables unauthenticated users to request and retrieve arbitrary files from the underlying system.
Attack Vector
The attack vector is network-based, requiring no user interaction or privileges. An attacker can craft malicious HTTP requests containing path traversal sequences or specially formatted file path parameters to request arbitrary files from the server. The attack can be executed remotely against any internet-exposed or network-accessible CentreStack or TrioFox instance running a vulnerable version.
Typical exploitation involves manipulating URL parameters or request paths to include traversal sequences (such as ../) or absolute file paths, bypassing intended directory restrictions to read sensitive files like configuration files, log files, or system files containing credentials and other sensitive data.
Detection Methods for CVE-2025-11371
Indicators of Compromise
- Unusual HTTP requests containing path traversal sequences (../, ..%2f, ..%252f) in URL parameters or paths targeting Gladinet services
- Web server logs showing requests for sensitive system files such as web.config, application configuration files, or Windows system files
- Unexpected access patterns to Gladinet CentreStack or TrioFox endpoints from unknown or suspicious IP addresses
- Evidence of reconnaissance activity targeting known LFI-vulnerable endpoints
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in incoming requests
- Monitor IIS or web server logs for requests containing encoded traversal sequences or attempts to access files outside the application directory
- Implement network intrusion detection signatures for known LFI exploitation patterns targeting Gladinet products
- Correlate authentication logs with file access patterns to identify unauthorized file disclosure attempts
Monitoring Recommendations
- Enable verbose logging on Gladinet CentreStack and TrioFox installations to capture all file access requests
- Configure SIEM alerts for requests containing path traversal indicators targeting Gladinet application endpoints
- Monitor for outbound connections following successful file reads that may indicate data exfiltration
- Review access logs regularly for patterns consistent with automated scanning or exploitation attempts
How to Mitigate CVE-2025-11371
Immediate Actions Required
- Upgrade Gladinet CentreStack and TrioFox to the latest available version that addresses this vulnerability immediately
- If immediate patching is not possible, restrict network access to Gladinet services to trusted IP ranges only
- Review server logs for evidence of exploitation and conduct incident response if compromise is suspected
- Audit exposed configuration files and rotate any credentials that may have been disclosed
Patch Information
Gladinet has released updated versions to address this vulnerability. Organizations should upgrade to versions newer than 16.7.10368.56560 for both CentreStack and TrioFox products. Refer to the CentreStack Latest Release Information page for the latest patched version and upgrade instructions. Given the active exploitation status and CISA KEV listing, patching should be treated as an emergency priority.
Workarounds
- Implement network-level access controls to restrict access to Gladinet services from untrusted networks
- Deploy a web application firewall (WAF) with rules to block path traversal attempts and LFI patterns
- Place Gladinet services behind a VPN or reverse proxy with strong authentication requirements
- Disable or restrict access to any unnecessary endpoints or features until patching can be completed
# Example: Restrict access to Gladinet services using Windows Firewall
# Allow only trusted IP ranges to access the application port
netsh advfirewall firewall add rule name="Restrict Gladinet Access" dir=in action=allow protocol=tcp localport=443 remoteip=192.168.1.0/24
# Block all other external access to the service
netsh advfirewall firewall add rule name="Block External Gladinet" dir=in action=block protocol=tcp localport=443 remoteip=any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
