Gladinet machine-key exploitation chain

A new **Gladinet CentreStack** and **Triofox** vulnerability in the products' custom AES implementation is being **actively exploited** to recover **hardcoded cryptographic keys** and enable **remote code execution**. **Gladinet** told customers to upgrade and rotate machine keys, while researchers said the abuse had already targeted **at least nine organizations**. The flaw affects secure remote file access and sharing systems, making exposed deployments a direct takeover risk.

Active exploitation of **Gladinet CentreStack** and **Triofox** has affected **at least nine organizations**, creating risk of unauthorized access and follow-on **remote code execution**. Attack traffic has been observed from **147.124.216[.]205** using crafted requests to **/storage/filesvr.dn** and forged access tickets. The activity also appears to chain the new abuse with **CVE-2025-11371** to reach **web.config** and obtain the machine key.

**Gladinet CentreStack** is now patched for **CVE-2025-11371**, an **unauthenticated local file inclusion** flaw that threat actors have used as a **zero-day** since **late September**. The bug let attackers read `Web.config`, extract the ASP.NET machine key, and chain into **CVE-2025-30406** for **remote code execution** on affected deployments. Gladinet says the fix is available in **CentreStack version 16.10.10408.56683**, and administrators are strongly recommended to install it. If upgrading is not possible, the interim mitigation is to disable the **temp handler** in `UploadDownloadProxy/Web.config`.

**Gladinet** released a **security update** for **CentreStack** to fix **CVE-2025-11371**, a **zero-day** local file inclusion flaw affecting business file-sharing deployments. The issue had been abused since **late September** and could expose **Web.config** on fully patched systems, letting attackers extract the **ASP.NET machine key**. The new build, **version 16.10.10408.56683**, is available now, and administrators are **strongly recommended** to install it. If upgrading is not possible, a temporary mitigation is to disable the **temp handler** in **Web.config** for the **UploadDownloadProxy** component.

**CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.config**, extract the ASP.NET machine key, and chain into **CVE-2025-30406** for **remote code execution**. **Gladinet** has released **version 16.10.10408.56683** to fix the issue and previously advised a **temporary workaround** for customers who cannot upgrade. The workaround disables the **temp handler** in **Web.config** for the **UploadDownloadProxy** component, but it can **impact some functionality**.