Attack Surface Management
,
Security Operations
Attackers Read Server Files and Steal Credentials in Gladinet CentreStack, Triofox
Hackers are exploiting a flaw allowing them to access without authentication document root folder files in file-sharing and remote-access software, where they obtain access tokens and passwords to unlock remote access to corporate file systems, warn researchers.
See Also: Combatting the Vulnerability Prioritization Challenge: A Guide to DVE Intelligence
Cybersecurity company Huntress found that Gladinet CentreStack and Triofox platforms were vulnerable to a local file inclusion vulnerability. Tracked as CVE-2025-11371, the issue allows remote attackers to take advantage of how web applications often call server-side files. Huntress said it has observed in-the-wild exploitation targeting exposed instances.
Attackers began scanning and targeting vulnerable systems at least a week before public disclosure, the company said. The firm said more than 6,000 instances of Gladinet CentreStack and Triofox were exposed to the internet at the time of its investigation, which began Sept. 27.
The flaw is an unauthenticated local file-inclusion bug that enables an attacker request and read files from the application’s filesystem without logging in. Attackers can simply supply specially crafted input to the affected web endpoints and retrieve arbitrary server files – for example, configuration files that contain cryptographic keys, access tokens or passwords. Huntress said exploiters have used the local file inclusion flaw to read the application’s web.config and extract the machine key, which in turn can be abused to forge a malicious ViewState and achieve remote code execution.
Because the vulnerability requires no authentication and affects internet-facing installs, successful exploitation can immediately expose credentials and sensitive configuration data, enable unauthorized access to corporate file systems and be chained to execute code on the server.
Huntress technical analysis showed the attack path used a temporary handler in the UploadDownloadProxy component to trigger file reads. Removing that handler from UploadDownloadProxyWeb.config blocks the local file inclusion path.
The same cybersecurity firm had earlier https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild” target=”_blank”>uncovered another critical flaw – CVE-2025-30406 – in the Gladinet CentreStack and Triofox platforms. That bug allowed remote code execution, giving attackers control over vulnerable servers. Huntress said both vulnerabilities stem from similar weaknesses in how the software processes user-supplied input, underscoring persistent security gaps in the products’ design.
![What is Cyber Security With Full Information? – [Hindi] – Quick Support](https://cyberinchief.com/wp-content/uploads/2025/10/1760311488_hqdefault-75x75.jpg)
