Particle.news

Download on the App Store

Active Exploits Target Gladinet CentreStack and TrioFox Zero-Day That Can Lead to RCE

The flaw exposes the machineKey, letting attackers forge ViewState payloads for remote code execution.

Overview

  • Huntress reports in-the-wild use of CVE-2025-11371 since late September, with at least three customer environments affected.
  • CVE-2025-11371 is an unauthenticated local file inclusion weakness impacting default installs up to version 16.7.10368.56560 across deployment types.
  • Attackers can read the Web.config machineKey and then leverage the previously known CVE-2025-30406 ViewState deserialization issue to achieve remote code execution, including on systems patched for that earlier flaw.
  • Gladinet has acknowledged the issue, is notifying customers, and is developing a fix, while Huntress has blocked observed activity and is withholding some technical details until a patch is available.
  • Operators are advised to disable the "temp" handler in the UploadDownloadProxy Web.config at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config, which may reduce functionality until an official patch arrives.