Huntress’ Security Operations Center (SOC) detected successful exploitation of Gladinet CentreStack software despite the instance running a build later than 16.4.10315.56368—the version thought immune to the critical CVE-2025-30406 vulnerability.
Initial investigation revealed that an unauthenticated Local File Inclusion (LFI) flaw, now cataloged as CVE-2025-11371, was being leveraged by attackers to extract the hardcoded machine key from the application’s Web.config file.
This key subsequently enabled remote code execution via the already known ViewState deserialization vulnerability tied to CVE-2025-30406.
Although Gladinet patched the earlier ViewState issue, no update has yet addressed CVE-2025-11371, leaving this LFI vector open to exploitation.
Huntress first publicized the in-the-wild exploitation of CVE-2025-30406 in April 2025 and maintains that this new LFI flaw compounds the threat to unpatched environments.
Key observations from the initial detection:
- Anomalous base64-encoded payloads executed as child processes of the web server indicated post-exploitation activity.
- The vulnerable temp handler in UploadDownloadProxy allowed unauthenticated file reads.
- The stolen machine key facilitated SYSTEM-level remote code execution via ViewState deserialization.
Gladinet confirmed awareness of the LFI vulnerability shortly after Huntress disclosure and informed its mutual customer base of an interim mitigation.
Per Huntress’ standard vulnerability disclosure policy, the vendor began notifying customers about a temporary workaround even before an official patch was released.
Huntress has also provided its managed customers with guidance to block the exploit, as three separate instances of real-world compromise have been documented to date.
Details of the Exploitation
Huntress’ SOC engineers originally triggered an alert for anomalous base64-encoded payloads spawned as children of the web server process. The irregular payload was indicative of post-exploitation activity associated with CVE-2025-30406.
Upon deeper forensic analysis, logs showed that the attackers first accessed the UploadDownloadProxy component’s Web.config file located under the Gladinet Cloud Enterprise installation directory.
.webp)
By sending specially crafted HTTP requests to the temp handler endpoint, the threat actors were able to retrieve its full contents without any authentication challenge.
Once in possession of the machine key, the attackers generated malicious ViewState packets that, upon deserialization by the server, executed arbitrary code with SYSTEM-level privileges.
Huntress observed this two-stage attack unfold within minutes of initial access. The timeline captured by the SOC illustrates a swift transition from unauthorized file disclosure to remote code execution.
Although details remain under embargo until Gladinet issues an official patch, preliminary evidence suggests that the same chain of vulnerabilities may facilitate lateral movement and deployment of stealthy backdoors in enterprise environments.
Recommended Mitigation
Given the absence of an official security update for CVE-2025-11371, immediate action is critical for organizations running vulnerable versions of CentreStack and Triofox.
Huntress strongly advises administrators to disable the temp handler in the UploadDownloadProxy Web.config file.
This handler is referenced via a <add> directive that points to the t.dn assembly responsible for processing temporary storage operations.
Removal of this line will effectively prevent unauthenticated file reads via the LFI flaw, breaking the first link in the attack chain.
Administrators should take the following steps immediately:
- Back up the existing Web.config file before making changes.
- Locate and remove the
<add name="temp" path="temp" verb="*" type="Gladinet.Cloud.Proxy.TempHandler, t.dn" />entry. - Restart the UploadDownloadProxy service to apply configuration changes.
- Monitor application logs for errors or unexpected behavior resulting from the disabled handler.
.webp)
Although disabling this handler may disrupt certain upload or download functions, the trade-off ensures that malicious actors cannot extract the machine key and pivot to remote code execution. Once Gladinet releases an official patch, restore the handler entry as part of the update process.
Huntress continues to work closely with Gladinet and affected customers to validate the mitigation and will update its guidance upon release of a permanent fix.
In the meantime, organizations should review their CentreStack and Triofox deployments, apply the workaround immediately, and verify that no rogue temp handler endpoints remain accessible.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 detected successful exploitation of Gladinet CentreStack software despite the instance.){kind=link}