Attack Surface Management,
Security Operations
Attackers Access Server Files and Compromise Credentials in Gladinet CentreStack and Triofox
Recent research reveals that hackers are exploiting a vulnerability that allows unauthorized access to critical files in file-sharing and remote-access applications, including Gladinet CentreStack and Triofox. Through this flaw, attackers can obtain sensitive access tokens and passwords essential for remote access to corporate file systems.
An investigation by cybersecurity firm Huntress identified this local file inclusion vulnerability, reported as CVE-2025-11371. The issue lies in how these web applications manage server-side files, enabling remote attackers to gain access without authentication. Huntress observed active exploitation attempts against exposed instances leading up to the public disclosure of this vulnerability.
Prior to the information becoming public, attackers had already begun scanning for and targeting vulnerable systems, with over 6,000 instances of these platforms reportedly exposed online as of late September.
This flaw permits attackers to request and read files directly from the application’s filesystem without requiring a login. By supplying specifically crafted input, they can access arbitrary server files, including critical configuration files that may contain cryptographic keys or access tokens. Notably, Huntress indicated that exploiters have managed to read the application’s web.config file to extract machine keys, which could allow for maliciously crafted ViewState to enable remote code execution.
The implications of the flaw are significant since it does not require user authentication and affects internet-facing installations. Successful exploitation could expose sensitive credentials and configuration data, allowing unauthorized access to corporate file systems and enabling further code execution on affected servers.
Technical analysis from Huntress highlighted a specific attack vector utilizing a temporary handler in the UploadDownloadProxy component to facilitate file reads. Eliminating this handler from the UploadDownloadProxyWeb.config has proven effective in blocking the identified local file inclusion path.
Huntress has previously uncovered another critical vulnerability — CVE-2025-30406 — in the same platforms, which allowed for remote code execution and consequently control over vulnerable servers. Both vulnerabilities are rooted in similar weaknesses in how the software handles user input, underscoring ongoing security issues in these products.
In light of these developments, it is essential for organizations operating with Gladinet CentreStack and Triofox to assess their exposure and take necessary steps to secure their systems. Understanding the tactics and techniques outlined in the MITRE ATT&CK framework, such as initial access and exploitation of vulnerabilities, can aid in comprehensive threat assessments and mitigation strategies.
