CVE-2025-11371 is an unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and TrioFox file-sharing platforms. This zero-day vulnerability has been actively exploited in the wild and allows attackers to access system files without authentication.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-10-09
Added to CISA KEV: 2025-11-04 26 DAYS BETWEEN CVE AND KEV
Understand the critical aspects of CVE-2025-11371 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.
CVE-2025-11371 Gladinet CentreStack / Triofox Local File Inclusion (LFI) | 0-Day Active Exploitation CVE-2025-11371 is an unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox that allows an attacker to access arbitrary files on the host system.
On October 9, 2025, Huntress disclosed the observance of active, in-the-wild exploitation of CVE-2025-11371, an unauthenticated local file inclusion (LFI) vulnerability impacting Gladinet CentreStack and TrioFox products.
The CVE-2025-11371 flaw resides in default configurations of Gladinet CentreStack and TrioFox, where attackers can exploit a vulnerable UploadDownloadProxy endpoint to access files on the server. Through this path, they can extract Web.config, a file that contains the ASP.NET machine key. This key is critical for ViewState integrity and validation.
Oct 10, 2025 On October 9, 2025, Huntress disclosed the observance of active, in-the-wild exploitation of CVE-2025-11371, an unauthenticated local file inclusion (LFI) vulnerability impacting Gladinet CentreStack and TrioFox products. The cybersecurity company has confirmed that three of its customers have been affected so far.