Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products.
The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560.
Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far.
It’s worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation.
CVE-2025-11371, per Huntress, “allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability. Additional details of the flaw are being withheld in light of active exploration and in the absence of a patch.
In one instance investigated by the company, the affected version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406, suggesting that attackers are exploiting the new flaw to extract the hard-coded machine key and use it to execute code remotely via the ViewState deserialization flaw.
In the interim, users are recommended to disable the “temp” handler within the Web.config file for UploadDownloadProxy located at “C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config.”
“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond said.
Huntress told The Hacker News that it has observed a “handful of incidents” that led to a confirmed compromise as a result of CVE-2025-11371. The activity has not been attributed to any threat actor, although the possibility that the sets of attacks could be the work of the same group has not been ruled out.
“It’s unclear if these are the same threat actors, but I wouldn’t be surprised since they would have already been familiar with this particular piece of software and they could have found this new vulnerability with minimal effort,” Jamie Levy, director of adversary tactics at Huntress, said.
(The story was updated after publication to include a response from Huntress.)
