Cybersecurity firm Huntress said it has seen active exploitation of an unpatched security flaw affecting its Gladinet CentreStack and TrioFox products in the wild.
The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintentional disclosure of system files. This affects all versions of the software prior to 16.7.10368.56560.
Huntress said it first detected this activity on September 27, 2025, and so far three of its customers have been found to be affected.
It is worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0). This is a case of a hard-coded machine key, which could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. This vulnerability has since been exploited.
According to Huntress, CVE-2025-11371 “allowed a threat actor to obtain a machine key from an application’s Web.config file and execute remote code via the ViewState deserialization vulnerability described above. Additional details of this flaw are pending in light of active investigation and absence of a patch.”
In one case the company investigated, the affected version was newer than 16.4.10315.56368 and was not vulnerable to CVE-2025-30406. This suggests that an attacker could exploit an earlier version and use a hardcoded machine key to remotely execute code via a flaw in ViewState deserialization.
In the meantime, we recommend disabling the “temp” handler in the Web.config file for UploadDownloadProxy located at “C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config”.
“While this impacts some functionality on the platform, it ensures that this vulnerability cannot be exploited until it is patched,” said Huntress researchers Brian Masters, James McLachlan, Jay Minton and John Hammond.
Source link
