Gladinet CentreStack & Triofox Zero-Day Leads to Chain Exploit and Remote Code Execution
Executive Summary
In October 2025, threat actors exploited a zero-day vulnerability (CVE-2025-11371) in Gladinet’s CentreStack and Triofox file sharing solutions, used by thousands of businesses worldwide. The flaw, a local file inclusion (LFI) bug present in all current product versions, was leveraged to extract sensitive configuration data and trigger a previously known deserialization vulnerability (CVE-2025-30406), resulting in remote code execution (RCE). At least three organizations have confirmed exploitation as attackers gained unauthorized access before Gladinet issued a patch, forcing emergency mitigations that affected platform functionality.
This incident highlights how chained vulnerabilities and rapid exploitation of zero-days continue to threaten cloud-based file sharing services. With attackers escalating LFI into full RCE, organizations face heightened pressure to improve visibility, patch agility, and enforce Zero Trust controls, especially amid growing regulatory scrutiny.
Why This Matters Now
The rapid weaponization of chained zero-day vulnerabilities in critical business applications spotlights urgent gaps in segmentation, east-west traffic security, and proactive threat detection. Organizations relying on third-party cloud file sharing platforms must urgently review controls, as unpatched LFI and deserialization flaws can enable full system compromise before defenses or patches are deployed.
Attack Path Analysis
Attackers exploited a zero-day LFI vulnerability in Gladinet software to access sensitive system files and the application machine key. The stolen key enabled them to leverage a known deserialization flaw for remote code execution. After gaining code execution, adversaries could have escalated privileges to increase access. Lateral movement was possible to other workloads or regions if network segmentation was weak. The attackers may have established command and control to maintain persistent access and orchestrate payloads. Sensitive data could then be exfiltrated via compromised outbound channels. Ultimately, business disruption or further impact could have been inflicted using ransomware or destructive actions.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the unauthenticated local file inclusion (LFI) vulnerability (CVE-2025-11371) in Gladinet CentreStack/Triofox to read Web.config and extract the machine key.
Related CVEs
CVE-2025-11371
CVSS 7.5An unauthenticated Local File Inclusion vulnerability in Gladinet CentreStack and Triofox allows unintended disclosure of system files.
Affected Products:
Gladinet CentreStack – <= 16.7.10368.56560
Gladinet Triofox – <= 16.7.10368.56560
Exploit Status:
exploited in the wildCVE-2025-30406
CVSS 9.8A deserialization vulnerability in Gladinet CentreStack due to hardcoded machineKey allows remote code execution.
Affected Products:
Gladinet CentreStack – <= 16.1.10296.56315
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Shared Modules
Data Obfuscation
Create Account
Credentials from Password Stores
Process Injection: Dynamic-link Library Injection
Exploitation of Remote Services
NetNTLM Downgrade
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Systems and Tools Security
Control ID: Art. 8
CISA ZTMM 2.0 – Device Security Posture
Control ID: Identity Pillar - Device Security
NIS2 Directive – Technical and Organizational Measures for Risk Management
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure through widespread Gladinet file sharing deployments, enabling remote code execution via zero-day LFI vulnerabilities affecting authentication systems.
Financial Services
High-risk sector using file sharing for sensitive data; zero-day exploitation threatens compliance requirements and enables unauthorized system access.
Health Care / Life Sciences
Protected health information at risk through compromised file sharing platforms; RCE capabilities violate HIPAA encryption and access controls.
Legal Services
Confidential client data vulnerable through exploited file sharing systems; remote code execution threatens attorney-client privilege and regulatory compliance.
Sources
- Hackers exploiting zero-day in Gladinet file sharing softwarehttps://www.bleepingcomputer.com/news/security/hackers-exploiting-zero-day-in-gladinet-file-sharing-software/Verified
- NVD - CVE-2025-11371https://nvd.nist.gov/vuln/detail/CVE-2025-11371Verified
- NVD - CVE-2025-30406https://nvd.nist.gov/vuln/detail/CVE-2025-30406Verified
- Huntress Blog: Gladinet CentreStack and Triofox Local File Inclusion Flawhttps://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flawVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
CNSF controls such as zero trust segmentation, inline visibility, east-west security, egress policy enforcement, and anomaly detection would have minimized attack progression. Segmenting workloads, monitoring unusual behaviors, and enforcing least-privilege network paths could have blocked or detected each kill chain stage.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Attack surface reduced and inline inspection at the perimeter to detect unauthorized access attempts.
Control: Zero Trust Segmentation
Mitigation: Limits privilege escalation scope by restricting application-to-workload communication.
Control: East-West Traffic Security
Mitigation: Lateral movement blocked via enforcement of workload-to-workload identity-based policies.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks suspicious or unauthorized outbound communication attempts.
Control: Multicloud Visibility & Control
Mitigation: Exfiltration attempts detected and halted via centralized monitoring and policy.
Early-stage threat activity is detected and automatic response is triggered.
Impact at a Glance
Affected Business Functions
- File Sharing
- Remote Access
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system files due to unauthenticated access.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and microsegmentation to limit exploit scope and block lateral movement.
- • Apply stringent east-west and egress traffic controls with continuous monitoring to flag anomalous behaviors and data exfiltration.
- • Rapidly deploy inline perimeter protections (CNSF) for vulnerability exploitation attempts with real-time alerting.
- • Leverage centralized multicloud visibility for early detection and broad policy enforcement to constrain attacker opportunities.
- • Integrate anomaly detection and automated response capabilities to minimize breach dwell time and reduce business impact.
