πŸ”΄ CVE-2025-11371

CVE-2025-11371 is an unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and TrioFox file-sharing platforms. This zero-day vulnerability has been actively exploited in the wild and allows attackers to access system files without authentication.

← Back to Overview
HIGH_RISK
Risk Level
7.5
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-10-09

Added to CISA KEV: 2025-11-04 26 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2025-11-04)

CVE-2025-11371 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting Gladinet CentreStack and Triofox file-sharing and remote access platforms [1]. Here's what is known about its exploitation:

  • Affected Applications: The vulnerability affects Gladinet CentreStack and Triofox file-sharing and remote access platforms [1][5].
  • Internet-Facing Applications: Yes, CVE-2025-11371 affects internet-facing applications [3].
  • Active Exploitation: There is evidence of active exploitation of this vulnerability in the wild [2][9]. It was exploited as a zero-day vulnerability [6][10].
  • Attack Vectors: Attackers exploit a vulnerable `UploadDownloadProxy` endpoint to access files on the server [4]. They can extract the `Web.config` file, which contains the ASP.NET machine key [4].
  • Exploitation Methods: Exploiting the LFI vulnerability allows attackers to retrieve configuration keys, leading to potential remote code execution (RCE) [3][6]. The vulnerability allows an attacker to access arbitrary files on the host system [2].
  • Targeted Attacks: The vulnerability has been used in targeted attacks [3][8]. At least three customers have been targeted [5][11].
  • CISA KEV Status: CISA has added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) Catalog [7].
  • Technical Details: The vulnerability is an unauthenticated LFI, allowing attackers to access arbitrary files on the host system [1][2]. Exploitation can lead to remote code execution (RCE) [3][6].

Sources

  1. CVE-2025-11371 Impact, Exploitability, and Mitigation Steps | Wiz

    Understand the critical aspects of CVE-2025-11371 with a detailed vulnerability assessment, exploitation potential, affected technologies, and remediation guidance.

  2. CVE-2025-11371: Gladinet CentreStack / Triofox Local File Inclusion

    CVE-2025-11371 Gladinet CentreStack / Triofox Local File Inclusion (LFI) | 0-Day Active Exploitation CVE-2025-11371 is an unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and Triofox that allows an attacker to access arbitrary files on the host system.

  3. H-ISAC TLP White: Vulnerability Bulletin: Active Exploitation of ...

    On October 9, 2025, Huntress disclosed the observance of active, in-the-wild exploitation of CVE-2025-11371, an unauthenticated local file inclusion (LFI) vulnerability impacting Gladinet CentreStack and TrioFox products.

  4. CVE-2025-11371: Unpatched Gladinet Flaw Actively Exploited in the Wild

    The CVE-2025-11371 flaw resides in default configurations of Gladinet CentreStack and TrioFox, where attackers can exploit a vulnerable UploadDownloadProxy endpoint to access files on the server. Through this path, they can extract Web.config, a file that contains the ASP.NET machine key. This key i…

  5. VULNERABILITY BULLETINS - American Hospital Association

    Oct 10, 2025 On October 9, 2025, Huntress disclosed the observance of active, in-the-wild exploitation of CVE-2025-11371, an unauthenticated local file inclusion (LFI) vulnerability impacting Gladinet CentreStack and TrioFox products. The cybersecurity company has confirmed that three of its custome…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed