Zero-day in Gladinet's File-Sharing Software Leads to Active Exploitation

Security research firm Huntress is warning all users of Gladinet's CentreStack and Triofox file-sharing tools to urgently apply an available mitigation, as a zero-day is being actively exploited and there's no patch available. Tracked as CVE-2025-11371 (severity 6.2), the local file inclusion vulnerability is the second bug that Huntress has found in Gladinet's software this year. The researchers spotted exploit activity on September 27, even on machines that were patched against CVE-2025-30406 (9.8) – the critical remote code execution (RCE) vulnerability the team found in April. Huntress said it has seen at least three Gladinet customers attacked using CVE-2025-11371 so far, and the vendor was aware of the issue before it got in touch, having worked directly with customers to develop a mitigation solution. Details about how to apply the temporary workaround can be found through Huntress' blog, or from the emails Gladinet should have sent to customers explaining the same.

CentreStack and Triofox are both B2B software products that focus on secure, VPN-free, remote file access. The former is pitched at managed service providers so that they can offer their own-brand remote access and file-sharing solution to clients, while Triofox is marketed more toward single enterprises. CentreStack's website states that it is trusted by more than 1,000 IT solution providers and enterprises, and lists globally recognized brands among them. Triofox lists similar clients but does not indicate a number of customers, although it says the product is designed for industries such as healthcare, engineering, and legal.

Huntress said that, if exploited successfully, CVE-2025-11371 could allow an attacker to retrieve the machine key from either CentreStack or Triofox's web.config file to then exploit CVE-2025-30406 for RCE. Zero-day lets nation-state spies cross-examine elite US law firm Williams & Connolly.