Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Gladinet CentreStack and TrioFox actively exploited unauthenticated LFI remote code execution flaw (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 63
2 unique sources, 5 articles

Summary

Hide ▲

Gladinet CentreStack is now patched for CVE-2025-11371, an unauthenticated local file inclusion flaw that threat actors have used as a zero-day since late September. The bug let attackers read `Web.config`, extract the ASP.NET machine key, and chain into CVE-2025-30406 for remote code execution on affected deployments. Gladinet says the fix is available in CentreStack version 16.10.10408.56683, and administrators are strongly recommended to install it. If upgrading is not possible, the interim mitigation is to disable the temp handler in `UploadDownloadProxy/Web.config`.

Cases

Gladinet machine-key exploitation chain (5)

Related Happenings

Cloud Software Group NetScaler urgent remediation advisory

Advisory/Mitigation
First: 25.03.2026 17:52 Last: 25.03.2026 17:52 Sources 1

About this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...

Open Happening

Gladinet CentreStack and Triofox hardcoded AES keys RCE flaw

Vulnerability
First: 11.12.2025 23:49 Last: 11.12.2025 23:49 Sources 1

About this happening: A new **Gladinet CentreStack** and **Triofox** vulnerability in the products' custom AES implementation is being **actively exploited** to recover **hardcoded cryptographic keys**...

Open Happening

Gladinet CentreStack and Triofox active exploitation wave

Exploitation Wave
First: 11.12.2025 07:56 Last: 11.12.2025 07:56 Sources 1

How related: As of December 10, as many as nine organizations have been affected by the newly disclosed flaw.

About this happening: Active exploitation of **Gladinet CentreStack** and **Triofox** has affected **at least nine organizations**, creating risk of unauthorized access and follow-on **remote code exec...

Open Happening

Gladinet Triofox actively exploited improper access control flaw (CVE-2025-12480)

Vulnerability
First: 11.11.2025 14:30 Last: 11.11.2025 14:30 Sources 1

About this happening: **Gladinet Triofox** is affected by **CVE-2025-12480**, a **critical improper access control flaw** that let attackers reach restricted setup pages and turn the issue into **code...

Open Happening

CentOS Web Panel remote command execution flaw (CVE-2025-48703)

Vulnerability
First: 05.11.2025 20:26 Last: 05.11.2025 20:26 Sources 1

About this happening: **CentOS Web Panel (CWP)** is affected by **CVE-2025-48703**, a **critical remote command execution** flaw that lets **unauthenticated attackers** with a valid username run arbitr...

Open Happening

Timeline

  1. 05.11.2025 08:12 2 articles · 6mo ago

    Huntress detects active exploitation attempts against Gladinet CentreStack and Triofox

    Detection Ioc Update

    Huntress detected active exploitation attempts targeting CVE-2025-11371 in Gladinet CentreStack and Triofox, with unknown threat actors using Base64-encoded payloads to run reconnaissance commands such as ipconfig /all against exposed systems. CISA also added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies were required to apply the necessary fixes by November 25, 2025.

    Show sources
    Open in new tab
  2. 10.10.2025 12:34 1 articles · 7mo ago

    First detection of CVE-2025-11371 exploitation against Gladinet CentreStack and TrioFox

    Detection Ioc Update

    Huntress first detected active in-the-wild exploitation of CVE-2025-11371 affecting Gladinet CentreStack and TrioFox on September 27, 2025, and found that three customers had been impacted. The activity involved an unauthenticated local file inclusion flaw that could disclose system files and support a chain to remote code execution through the previously known CVE-2025-30406 path.

    Show sources
    Open in new tab
  3. 10.10.2025 12:34 5 articles · 7mo ago

    Public disclosure of active CVE-2025-11371 exploitation in Gladinet CentreStack and TrioFox

    Initial Disclosure

    Huntress disclosed active in-the-wild exploitation of CVE-2025-11371 in Gladinet CentreStack and TrioFox, describing the flaw as an unauthenticated local file inclusion bug that affects versions through 16.7.10368.56560. Huntress also advised disabling the temp handler in UploadDownloadProxy/Web.config until the vulnerability is patched.

    Show sources
    Open in new tab