The vulnerability CVE-2025-11371 is an unauthenticated local file inclusion (LFI) flaw in Gladinet CentreStack and TrioFox products, impacting all versions up to 16.7.10368.56560. This LFI allows attackers to read arbitrary system files, notably the application’s Web.config file containing the machine key. The machine key is critical as it enables exploitation of a related ViewState deserialization vulnerability (previously tracked as CVE-2025-30406) that allows remote code execution (RCE). Huntress security researchers detected active exploitation in the wild starting September 27, 2025, with at least three customers confirmed impacted. Notably, some affected versions were not vulnerable to the earlier CVE-2025-30406 directly, but the LFI enables retrieval of the machine key to facilitate RCE via the deserialization flaw. Due to active exploitation and lack of an official patch, Huntress recommends disabling the 'temp' handler in the UploadDownloadProxy Web.config file to block the LFI attack vector, though this may degrade some platform functionality. The combination of unauthenticated file inclusion leading to disclosure of sensitive cryptographic keys and subsequent remote code execution makes this a critical attack chain. Details remain partially withheld to prevent further exploitation until patches become available.

For European organizations using Gladinet CentreStack and TrioFox, this vulnerability poses a significant risk of unauthorized system compromise. The unauthenticated nature of the LFI allows attackers to bypass access controls and retrieve sensitive configuration files, including cryptographic keys. This leads directly to remote code execution, enabling attackers to execute arbitrary code on affected servers, potentially leading to data breaches, ransomware deployment, or lateral movement within networks. Given that these products are often used for cloud storage and file sharing, exploitation could result in exposure or manipulation of sensitive corporate data. The impact extends to operational disruption due to potential system compromise and remediation efforts. Organizations in Europe with these products in critical infrastructure or regulated sectors face heightened risks of compliance violations and reputational damage. Active exploitation in the wild underscores the urgency for mitigation to prevent further incidents.

1. Immediately disable the 'temp' handler within the UploadDownloadProxy Web.config file located at 'C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config' as recommended by Huntress. This action blocks the LFI vector but may reduce some platform functionality. 2. Monitor network and application logs for unusual access patterns, especially attempts to access Web.config or other sensitive files. 3. Restrict access to management interfaces and file upload/download endpoints via network segmentation and firewall rules to limit exposure. 4. Implement strict file integrity monitoring on configuration files to detect unauthorized changes or access. 5. Prepare for rapid patch deployment by tracking vendor advisories and applying updates as soon as they are released. 6. Conduct internal audits to identify all instances of Gladinet CentreStack and TrioFox deployments and prioritize remediation efforts accordingly. 7. Educate IT and security teams on the exploitation chain to improve detection and response capabilities. 8. Consider temporary compensating controls such as Web Application Firewalls (WAFs) with custom rules to block suspicious LFI attempts until patches are available.