Active attacks exploit Gladinet CentreStack/Triofox zero-day (CVE-2025-11371). No patch available; apply LFI mitigation now.

Continue reading
Cybersecurity researchers are warning that a severe, unpatched vulnerability in Gladinet's popular CentreStack and Triofox file-sharing software is being actively exploited by attackers. The zero-day flaw allows unauthorized individuals to read sensitive system files and, in a sophisticated attack chain, achieve complete remote control of the affected server.
The vulnerability, tracked as CVE-2025-11371, is an unauthenticated Local File Inclusion (LFI) bug that impacts all versions of the software, including the latest release, 16.7.10368.56560. While a formal patch is still under development, a critical mitigation has been identified to prevent exploitation.
The active attacks leverage a clever combination of a new weakness and a previously patched one. The newly discovered LFI flaw (CVE-2025-11371) allows attackers to remotely access any file on the system without needing a password.
Here is a fresh version of the news article, written in plain language with a clear, standardized structure for easy reading.
A critical vulnerability has been discovered in widely used software, and it is currently being attacked in the wild. The table below summarizes the core details:
| Vulnerability Aspect | Details |
|---|---|
| CVE Identifier | CVE-2025-11371 |
| CVSS Score | 6.1 (Medium) |
| Type | Unauthenticated Local File Inclusion (LFI) |
| Affected Products | Gladinet CentreStack & Triofox |
| Affected Versions | All versions, including the latest 16.7.10368.56560 |
| Status | Actively exploited; no patch available |
The zero-day vulnerability CVE-2025-11371 is a Local File Inclusion (LFI) flaw affecting the default installation and configuration of both products, impacting all versions, including the latest release, 16.7.10368.56560.
Researchers at managed cybersecurity platform Huntress detected the security issue on September 27 when a threat actor successfully exploited it to obtain a machine key and execute code remotely.
A closer analysis revealed that the issue was an LFI leveraged to read the Web config and extract the machine key. This allowed the attacker to use an older deserialization vulnerability (CVE-2025-30406) and achieve remote code execution (RCE) through ViewState.
The CVE-2025-30406 deserialization bug in CentreStack and Triofox was also exploited in the wild in March, due to a hardcoded machine key. An attacker knowing the key could perform RCE on an affected system.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.