Ongoing attacks on Gladinet's CentreStack and Triofox vulnerabilites
Take action: If you're running Gladinet CentreStack or Triofox, THIS IS URGENT. Immediately disable the temp handler in the UploadDownloadProxy Web.config file to prevent active exploitation, since there is no official patch available yet. If you can't apply this workaround due isolate the servers from the internet. Hackers love file sharing platforms, so make sure you don't get hacked.
Learn More
Security research firm Huntress is warning of active exploitation of a flaw affecting Gladinet's CentreStack and Triofox file-sharing platforms.
The vulnerability is tracked as CVE-2025-11371 (CVSS score 6.2), is an unauthenticated local file inclusion flaw that affects the default installation and configuration of both CentreStack and Triofox products.
Attackers use the flaw to retrieve the machine key from the application's Web.config file located in the UploadDownloadProxy component. Once obtained, this machine key enables attackers to forge ASP.NET ViewState payloads that pass the application's integrity checks. These forged payloads can then be used to exploit CVE-2025-30406 (CVSS score 9.8). The vulnerability chaining technique effectively renders the patch for CVE-2025-30406 insufficient on its own.
Researchers discovered that Gladinet had already engaged with affected customers to implement mitigation solutions before Huntress made formal contact. The company has been sending direct email communications to customers explaining the mitigation steps instead of publishing a public security advisory.
Until Gladinet releases an official patch, organizations running CentreStack or Triofox should immediately implement workaround to protect their systems:
- Administrators should disable the temp handler within the Web.config file for the UploadDownloadProxy component located at:
C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config. This means removing the specific handler line that points to the t.dn assembly responsible for processing temporary storage operations. This modification will impact some file upload and download functionality of the platform, but it effectively prevents the vulnerability from being exploited by blocking unauthenticated file reads via the local file inclusion flaw. - After making the change, administrators must restart the web service to ensure the modification takes effect.
For organizations that cannot immediately implement the mitigation due to operational constraints, alternative security measures include placing affected systems behind additional layers of protection, implementing allow-lists to restrict access to the web interface so it is not visible from the entire internet, and ensuring all access is logged and monitored for signs of exploitation attempts.
Update - as of 4th of November 2025, CISA has confirmed active exploitation of this flaw.
