Gladinet CentreStack / Triofox — CVE-2025-11371

Gladinet CentreStack / Triofox — CVE-2025-11371: Technical Medium-style Brief

Gladinet CentreStack / Triofox — CVE-2025-11371

A newly discovered zero-day (now patched) impacted Gladinet CentreStack and Triofox. The issue is an unauthenticated Local File Inclusion (LFI) that allowed attackers to read sensitive files such as Web.config, extract the application’s machine key, and chain into remote code execution via ViewState deserialization. Gladinet released fixes on October 14, 2025 in version 16.10.10408.56683. Users should update immediately and validate mitigation.

Overview

Gladinet’s file-sharing / remote-access platforms CentreStack and Triofox were affected by CVE-2025-11371, an unauthenticated LFI enabling disclosure of application files and secrets. Attackers leveraged the flaw to read Web.config, recover the ASP.NET <machineKey> values, and then craft trusted but malicious ViewState payloads that the server deserialized, achieving remote code execution (RCE) under the IIS worker context. The vulnerability had been exploited in the wild before the patch became available.

The chain is notable because it sidesteps protections introduced for an earlier issue (CVE-2025-30406), effectively resurrecting the exploitation path through a new entry point. Multiple environments experienced probing or compromise, underscoring the need for rapid remediation and thorough review.

How it works

The attack unfolds in four steps. First, a crafted request targets upload/download proxy endpoints with insufficient validation, triggering a Local File Inclusion that exposes files on disk. Second, the attacker reads the relevant Web.config and extracts the validationKey and decryptionKey from the <machineKey> element. Third, armed with these secrets, the attacker forges a ViewState blob that passes integrity checks. Finally, the application deserializes the data and executes the embedded object graph, resulting in code execution (e.g., spawning powershell or cmd, dropping files, or loading assemblies).

Execution occurs under w3wp.exe. Post-exploitation activity typically includes establishing persistence, credential discovery, outward C2 connections, and preparation for lateral movement when internal privileges or network segmentation allow it.

Affected builds: all versions up to and including 16.7.10368.56560. Patched build: 16.10.10408.56683 (released Oct 14, 2025).

Risks

Because the chain begins without authentication and culminates in server-level code execution, risk is high for any Internet-reachable instance. Realistic consequences include full host compromise, theft of sensitive data and configuration secrets (e.g., database connection strings, API tokens), deployment of ransomware, service disruption, tampering with logs and forensic artefacts, and lateral movement to adjacent systems. The exploit’s reuse of framework features (ViewState) means some perimeter controls may offer limited protection.

Real life example usage

In late September 2025, an incident response team documented a CentreStack server compromised via this chain even though it had already been updated against CVE-2025-30406. The attacker probed upload/download proxy handlers, succeeded in reading Web.config, extracted the machine key, and delivered a forged ViewState payload. Shortly after, investigators observed w3wp.exe spawning unusual child processes, very large base64 strings in HTTP requests, IIS exceptions consistent with deserialization, and outbound connections to unfamiliar IP addresses. With no patch available at that time, responders isolated the host, disabled the vulnerable handler, rotated secrets, and hunted for exfiltration indicators.

Recommendations

Apply the vendor patch (priority #1): upgrade CentreStack / Triofox to 16.10.10408.56683 or later. Treat as an emergency update, deploy out-of-band if needed, and verify success by confirming that previously exploitable endpoints no longer disclose files and that normal workflows still function.

If you cannot patch immediately, keep the workaround in place: disable or remove the temporary upload/download handler in UploadDownloadProxy\\Web.config that maps to the “temp” endpoint. This breaks the LFI stage but may reduce functionality; re-enable only after patch validation.

Verify and confirm effectiveness: after updating, run vendor or defender validation checks to ensure the LFI does not succeed. In a safe test environment, perform targeted requests to confirm mitigation.

Incident response and forensics: preserve IIS and application logs, collect memory and disk images if compromise is suspected, and inspect for web shells or unfamiliar binaries within application directories. Where compromise is confirmed, rotate all secrets (including machineKey), eradicate persistence, and rebuild from known-good images.

Monitoring and detection: alert on repeated hits to upload/download proxy paths, very large or malformed __VIEWSTATE parameters, deserialization exceptions, w3wp.exe spawning shells, and unexpected outbound traffic from the host.

Hardening and resilience: enforce least privilege for service accounts, keep OS/dependencies current, segment networks to limit blast radius, and maintain immutable/offline backups with tested recovery procedures. Subscribe to vendor/NVD/CISA advisories and include CVE-2025-11371 in your KEV-driven patch prioritization.