CVE-2025-11371

What is Gladinet CentreStack and Triofox?

Gladinet CentreStack is an enterprise file server and secure remote access platform that enables organizations to provide cloud-like file access to on-premises file servers. Triofox is Gladinet's variant marketed for distributed teams. Both products expose web interfaces for file management and authentication. They are enterprise file-sharing solutions commonly internet-accessible for remote work support.

Gladinet products have had a pattern of critical vulnerabilities in 2025: CVE-2025-30406 (hardcoded machine key → SYSTEM compromise, March 2025), CVE-2025-14733 (AES hardcoded key, Clop-linked chain), CVE-2025-14611 (Triofox Host header → SYSTEM via UNC6485) — all patched in the first half of 2025. CVE-2025-11371 represents a third distinct vulnerability class: unauthenticated file disclosure.

Overview

CVE-2025-11371 is a files or directories accessible to external parties vulnerability (CWE-552) in Gladinet CentreStack and Triofox. An unauthenticated remote attacker can reach endpoint paths that expose system files from the WebRoot directory without authentication — including configuration files, credential stores, and application secrets. Active exploitation was confirmed before the CISA KEV listing on November 4, 2025.

Affected Versions

Technical Details

The vulnerability (CWE-552: Files or Directories Accessible to External Parties) allows an unauthenticated attacker to read system files from the web application's WebRoot directory through web-accessible endpoint paths that lack proper access controls. The classification as LFI (Local File Inclusion) / path disclosure reflects that the web server exposes file reading capabilities without requiring authentication.

Sensitive files that may be accessible include:

• Application configuration files (database connection strings, API credentials)
• Session token storage or caches
• CentreStack's embedded authentication configuration
• System paths and directory structures that aid further exploitation

Context as the third 2025 Gladinet CVE: The repeated appearance of Gladinet in the CISA KEV catalog (March, May, October/November 2025) suggests a product with multiple systemic security design weaknesses rather than isolated coding errors. Organizations running Gladinet products should audit their full deployment against all 2025 advisories simultaneously.

Discovery

Not publicly attributed.

Exploitation Context

CISA confirmed active exploitation and added CVE-2025-11371 to the KEV catalog on November 4, 2025, with a 21-day deadline. Given Gladinet's prior exploitation by Clop ransomware-affiliated actors (CVE-2025-14733 chain), threat actors appear to systematically investigate Gladinet deployments for new vulnerabilities.

Remediation

1. Upgrade CentreStack to 16.10.10408.56683 and Triofox to 16.7.10368.56561 immediately. The CISA deadline was November 25, 2025.
2. Apply all 2025 Gladinet patches: CVE-2025-30406 (March), CVE-2025-14733/CVE-2025-14611 (May/June), and this CVE. Organizations that haven't applied earlier patches are at compound risk.
3. Restrict internet access to CentreStack and Triofox management interfaces — place them behind VPN or IP allowlists.
4. Audit web-accessible paths for sensitive files: review server logs for unexpected GET requests to configuration file paths.
5. Rotate all credentials stored in CentreStack/Triofox configuration files as a precaution if the server was internet-exposed before patching.