Executive Summary
In early June 2024, threat actors began exploiting a previously unknown cryptographic implementation flaw in Gladinet's CentreStack and Triofox products, enabling them to remotely execute code on vulnerable servers. By leveraging crafted payloads targeting insecure cryptographic validation, attackers bypassed authentication mechanisms and gained unauthorized access to sensitive file sharing environments. This led to potential exposure of confidential data, lateral movement, and service disruption for affected organizations, particularly those relying on CentreStack for enterprise file sharing and remote access.
This incident highlights the risks of cryptographic implementation errors and the urgent need for patch management, especially for third-party cloud and SaaS solutions. As attackers increasingly weaponize zero-day flaws in commonly used remote file access platforms, enterprises must prioritize robust monitoring and rapid response strategies.
Why This Matters Now
The exploitation of previously undocumented cryptographic flaws in remote file sharing platforms underscores the growing trend of zero-day attacks targeting enterprise collaboration tools. With adversaries exploiting encryption weaknesses for remote code execution, immediate action is required to patch systems, reassess third-party security dependencies, and enhance east-west traffic inspection.
Attack Path Analysis
Attackers exploited a cryptographic flaw in Gladinet CentreStack to achieve initial compromise via remote code execution. After gaining access, they likely elevated privileges within the application or underlying environment. They then attempted lateral movement to access additional workloads or resources. Next, the attackers established command and control channels to remotely manage the compromised systems. Data exfiltration or remote file transfers occurred via outbound channels. Finally, attackers could have impacted business operations by deploying malware, stealing data, or disrupting service.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an undocumented cryptographic vulnerability in CentreStack to gain unauthorized remote code execution on exposed systems.
Related CVEs
CVE-2025-30406
CVSS 9A hardcoded cryptographic key in Gladinet CentreStack and Triofox allows unauthenticated remote code execution via ASP.NET ViewState deserialization.
Affected Products:
Gladinet CentreStack – < 16.4.10315.56368
Gladinet Triofox – < 16.4.10317.56372
Exploit Status:
exploited in the wildCVE-2025-11371
CVSS 6.2An unauthenticated local file inclusion vulnerability in Gladinet CentreStack and Triofox allows attackers to retrieve sensitive files, leading to potential remote code execution.
Affected Products:
Gladinet CentreStack – <= 16.7.10368.56560
Gladinet Triofox – <= 16.7.10368.56560
Exploit Status:
exploited in the wildCVE-2025-14611
CVSS 7.1Hardcoded values in the AES cryptoscheme of Gladinet CentreStack and Triofox degrade security, potentially allowing unauthenticated local file inclusion.
Affected Products:
Gladinet CentreStack – < 16.12.10420.56791
Gladinet Triofox – < 16.12.10420.56791
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Defense Evasion
Exploitation for Client Execution
Phishing
Command and Scripting Interpreter
Windows Management Instrumentation
Impair Defenses
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Security of Cryptographic Keys
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – Digital Operational Resilience Act – Information and Communication Technology (ICT) Risk Management
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Strong Authentication Mechanisms
Control ID: Identity – Authentication
NIS2 Directive – Security of Network and Information Systems – Cryptography
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Remote code execution vulnerabilities in file sharing platforms directly impact IT infrastructure, requiring immediate patching and zero trust segmentation implementation.
Financial Services
Cryptographic flaws enable data exfiltration from secure file repositories, violating PCI compliance and exposing sensitive financial data to lateral movement.
Health Care / Life Sciences
Compromised remote access systems threaten HIPAA-protected patient data, necessitating enhanced east-west traffic monitoring and encrypted communications for compliance.
Legal Services
Attorney-client privileged documents stored in vulnerable file sharing systems face unauthorized access through exploited cryptographic implementations and inadequate egress controls.
Sources
- Hackers exploit Gladinet CentreStack cryptographic flaw in RCE attackshttps://www.bleepingcomputer.com/news/security/hackers-exploit-gladinet-centrestack-cryptographic-flaw-in-rce-attacks/Verified
- Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flawhttps://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flawVerified
- CVE-2025-30406: Critical Remote Code Execution Vulnerability in Gladinet CentreStack and Triofox Actively Exploitedhttps://cybersrcc.com/2025/04/25/cve-2025-30406-critical-remote-code-execution-vulnerability-in-gladinet-centrestack-and-triofox-actively-exploited/Verified
- CVE-2025-11371: Gladinet CentreStack / Triofox Local File Inclusionhttps://horizon3.ai/attack-research/vulnerabilities/cve-2025-11371/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework (CNSF) capabilities like Zero Trust Segmentation, East-West Traffic Security, and Egress Policy Enforcement would have limited attacker movement, detected anomalous activity, and blocked outbound exfiltration attempts. Real-time visibility and inline threat detection bolster defenses at each stage, significantly constraining the attacker's ability to progress through the kill chain.
Control: Inline IPS (Suricata)
Mitigation: Signature-based inspection detects and blocks known exploit payloads targeting application vulnerabilities.
Control: Zero Trust Segmentation
Mitigation: Limits attacker’s access scope, reducing the blast radius if initial access is gained.
Control: East-West Traffic Security
Mitigation: Inter-workload traffic is closely monitored and controlled to prevent unauthorized movement.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious C2 channels and remote admin traffic are detected and alerted in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized data exfiltration attempts are blocked at network egress points.
Integrated visibility and distributed enforcement reduce opportunity for destructive actions.
Impact at a Glance
Affected Business Functions
- File Sharing
- Remote Access
- Data Storage
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive configuration files and user data due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention to block known and emerging application exploits at the network perimeter.
- • Enforce zero trust segmentation and microsegmentation to limit attacker movement and privilege escalation within cloud environments.
- • Deploy robust east-west traffic monitoring and policy controls to detect and contain lateral movement.
- • Establish egress security controls with centralized policy enforcement to prevent command and control and data exfiltration.
- • Continuously monitor for threats and anomalies with real-time alerting and automated response across all cloud and hybrid workloads.
