CISA Warns Of Active Attacks Targeting CentreStack And Triofox Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a urgent alert by adding CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation of a critical flaw in Gladinet’s CentreStack and Triofox platforms.

This unauthenticated local file inclusion (LFI) vulnerability allows attackers to access sensitive system files without credentials, posing severe risks to organizations relying on these file-sharing solutions.

Added on November 4, 2025, with a mitigation deadline of November 25, 2025, the flaw underscores the need for immediate action amid ongoing threat actor campaigns.

Vulnerability Details

CVE-2025-11371 affects the default installations of Gladinet CentreStack and Triofox, enterprise tools designed for secure file synchronization, remote access, and collaboration in hybrid environments.

CentreStack targets managed service providers and small businesses, while Triofox serves larger enterprises by enabling VPN-free file access.

The vulnerability, rated with a CVSS v3.1 base score of 6.1 (though some analyses elevate it to 9.1 due to chained impacts), stems from improper path handling in the UploadDownloadProxy component, linked to CWE-552: Files or Directories Accessible to External Parties.

This flaw enables remote attackers to disclose configuration files like Web.config, extracting cryptographic machine keys essential for application integrity.

Discovered by Huntress researchers, it impacts self-hosted, on-premises, or cloud deployments, amplifying risks in sectors like healthcare and finance where data control is paramount.

Active Exploitation and Broader Threats

Cybersecurity firm Huntress first observed exploitation on September 27, 2025, chaining CVE-2025-11371 with the earlier ViewState deserialization vulnerability (CVE-2025-30406, patched in April 2025) to achieve remote code execution (RCE).

Attackers forge malicious ViewState payloads using stolen keys, bypassing checks and deploying malware, remote access tools, or enabling lateral movement across networks.

At least three Huntress customers were hit, with threat actors targeting unpatched instances post-CVE-2025-30406 fixes, indicating sophisticated, persistent campaigns.

The implications extend beyond initial access: compromised servers could expose corporate file shares, leading to data theft, ransomware deployment, or supply chain attacks.

CISA’s KEV inclusion mandates federal agencies to remediate, but private sector organizations face similar urgency, as exploitation evades authentication and requires no privileges.

Health-ISAC and other bodies have issued bulletins emphasizing the vulnerability’s role in disrupting remote work infrastructures.

Mitigation Strategies and Vendor Response

Gladinet acknowledged the issue and released patches on October 14, 2025, urging users to update immediately.

As an interim measure, disable the temp handler in the UploadDownloadProxy’s Web.config file by removing the relevant <add name=”temp” …> line, though this may limit some upload/download features.

CISA recommends applying vendor mitigations, adhering to Binding Operational Directive 22-01 for cloud services, or discontinuing use if patches are unavailable.

Organizations should scan environments for vulnerable instances, monitor for anomalous file access, and integrate KEV into vulnerability management frameworks.

This incident highlights the evolving threats to managed file transfer solutions, where unpatched flaws can cascade into full system compromise.

By prioritizing rapid patching, defenders can thwart these active attacks and safeguard sensitive data flows.