URGENT SECURITY ALERT : If your organization uses Gladinet’s CentreStack or Triofox for file sharing, you are at immediate risk. A critical Gladinet zero-day vulnerability, tracked as CVE-2025-11371, has been actively exploited in the wild since late September 2025. This flaw allows unauthenticated attackers to access sensitive system files, providing a direct gateway into your network. Security patches were released in October, but thousands of businesses remain vulnerable.
This is not a theoretical threat—it is an active crisis. The problem is a Local File Inclusion (LFI) vulnerability that requires no password and no user interaction to exploit. This guide provides an emergency, step-by-step protocol to apply the CVE-2025-11371 fix, assess your systems for compromise, and harden your CentreStack security posture against future attacks. Your immediate action is required to prevent a catastrophic data breach.
What is CVE-2025-11371? The Unauthenticated File Access Flaw
The Gladinet zero-day CVE-2025-11371 is a critical vulnerability rooted in how CentreStack and Triofox handle file path requests. At its core, it’s a Local File Inclusion (LFI) flaw. This means an attacker can manipulate a web request to trick the server into accessing and displaying the contents of files that should be protected, such as configuration files, password hashes, and other sensitive system data.
The most dangerous aspect of this Gladinet zero-day is that it requires no authentication. An attacker simply needs to know your server’s address. By sending a specially crafted request, they can traverse the file system and read critical files. This type of vulnerability is similar in principle to path traversal flaws seen in other web applications, which are often discussed in the context of our SQL Injection and Database Exploitation Guide.
Once an attacker has read sensitive configuration files, they can often find credentials or session tokens that allow them to escalate their privileges, leading to a full system compromise. This initial foothold is frequently used to deploy malware or a rootkit, turning your file-sharing server into a permanent backdoor into your network. Understanding the nature of such malicious software is crucial, a topic covered in-depth in our Malware Analysis Techniques Guide.
Am I Affected? A Quick Checklist for Detection
Before you rush to patch, you must quickly determine your exposure. This initial triage is a fundamental part of any effective incident response.
1. Check Your Product and Version:
The Gladinet zero-day impacts specific versions of CentreStack and Triofox. Refer to this table to see if your deployment is on the list.
| Product | Affected Versions | Patch Available |
|---|---|---|
| CentreStack | 13.x and below | Yes |
| Triofox | 13.x and below | Yes |
2. Look for Indicators of Compromise (IoCs):
Since this vulnerability has been exploited since September 2025, you must assume you have been targeted. Look for these signs:
- Unusual Web Server Logs: Check your IIS or web server logs for strange-looking GET requests. Look for URL patterns that contain directory traversal sequences (
../,..\) or requests for sensitive system files (e.g.,web.config,C:\Windows\System32\drivers\etc\hosts). - Anomalous File Access: Monitor your server for unexpected access to core system files by the web server’s user account.
- New, Unexplained User Accounts: Check for any new administrative accounts created on the server or within CentreStack itself.
Performing these checks may require technical skills. If you are unsure, it is best to bring in an expert or follow a structured verification process like those used in ethical hacking. Our Complete Ethical Hacking Guide 2025 provides foundational knowledge for this type of testing. If you find any of these signs, you must immediately escalate to a full incident response as detailed in our Incident Response Framework Guide.
Emergency Patching: Applying the CVE-2025-11371 Fix
If your version is vulnerable but you have found no signs of compromise, your top priority is to apply the CVE-2025-11371 fix. Do not delay this process.
Step 1: Backup Your Current Configuration.
Before any update, create a full backup of your CentreStack or Triofox environment. This includes the application database and the application’s root folder. This is a critical safety net.
Step 2: Download the Official Security Update.
Go directly to the Gladinet Upgrade Portal. Do not download the patch from any third-party website. Download the latest patched version (versions 14.x and higher contain the CVE-2025-11371 fix).
Step 3: Run the Installer.
The Gladinet update process is generally straightforward. Run the installer for the new version on your CentreStack/Triofox server. The installer will handle the process of stopping services, replacing the necessary files, and restarting the services.
Step 4: Verify the Update.
After the installation is complete and the services are back online, log into your admin dashboard. Navigate to the “About” or “System Information” section and verify that the version number now reflects the new, patched version. Test basic file-sharing functionality to ensure the update has not caused any operational issues. This verification step is a crucial part of the CentreStack security update process.
A successful patch deployment is a key milestone in your incident response. For a broader view on how patching fits into the overall response lifecycle, refer again to our Incident Response Framework Guide.
If You Are Already Exploited: Crisis Response Protocol
If you found any IoCs during the detection phase, you must assume your system is fully compromised. The Gladinet zero-day has been used to deploy backdoors. Patching alone is not enough; the attacker may already have persistent access. You are now in a full incident response scenario.
| Status | Action | Timeline | Priority |
|---|---|---|---|
| Vulnerable | Apply Patch ASAP | Within 24 hrs | High |
| Exploited | Isolate & Investigate | Immediately | Critical |
| Unknown | Audit & Scan Logs | Within 48 hrs | Medium |
Step 1: Isolate the Server.
Immediately disconnect the compromised server from the network. Unplug the network cable. This prevents the attacker from moving laterally to other systems and stops any ongoing data exfiltration.
Step 2: Preserve Evidence.
Do not turn off the server. Powering it down will destroy volatile memory (RAM), which contains critical forensic evidence about the attacker’s activities. Take a full disk image of the server for forensic analysis. This analysis is a specialized skill, covered in our Malware Analysis Techniques Guide.
Step 3: Rebuild, Don’t Clean.
A compromised system can never be fully trusted again. Do not attempt to “clean” the server. The only safe path is to rebuild it from scratch on new or fully wiped hardware. Install a fresh operating system and the newly patched version of CentreStack/Triofox.
Step 4: Restore Data from a Clean Backup.
Restore your file and database data from a backup that you know was taken before the date of compromise (i.e., before late September 2025). Carefully scan the restored data for any signs of malware dropper files before bringing the system back online. Attackers often use file-sharing platforms to distribute malicious tools, which you can learn about in our guide to Black Hat Hacking Tools.
Prevention and Hardening: Strengthening Your CentreStack Security
Applying the CVE-2025-11371 fix is a reactive measure. To get ahead of the next Gladinet zero-day, you must proactively harden your CentreStack security.
Action 1: Minimize Your Attack Surface.
Do not expose your CentreStack/Triofox server directly to the public internet if it’s not necessary. Place it behind a Web Application Firewall (WAF) and restrict access to known IP addresses where possible.
Action 2: Implement Continuous Monitoring.
Use security tools to continuously monitor your web server logs and file system for suspicious activity. AI-powered tools can be particularly effective at spotting the subtle anomalies that indicate a zero-day attack in progress. For an overview of what’s available, see our Best AI Tools Guide.
Action 3: Network Segmentation.
Isolate your file-sharing server in its own network segment. This ensures that even if it is compromised, the attacker cannot easily pivot to your internal corporate network.
Action 4: Have a Tested Incident Response Plan.
The chaos of this Gladinet zero-day proves the need for a plan. A well-documented and regularly tested plan is your most valuable asset in a crisis. The foundation of this is a solid Incident Response Framework Guide.
Conclusion
The Gladinet zero-day vulnerability CVE-2025-11371 is a stark reminder that any internet-facing system is a target. Your immediate action—identifying your status, applying the CVE-2025-11371 fix, and investigating for compromise—is critical. By following this guide, you can navigate this crisis and strengthen your CentreStack security to be resilient against the threats of tomorrow.
Top 20 FAQs on CVE-2025-11371
- What is the Gladinet zero-day CVE-2025-11371?
Answer: It’s a critical vulnerability in Gladinet’s CentreStack and Triofox software that allows an unauthenticated attacker to read system files. - Which products are affected?
Answer: CentreStack and Triofox versions 13.x and below are affected. - What is a Local File Inclusion (LFI) vulnerability?
Answer: LFI is a type of vulnerability that allows an attacker to trick a web application into including and displaying files from the local server that they should not have access to. - Is authentication required to exploit this Gladinet zero-day?
Answer: No. That is what makes it so critical. An attacker needs no username or password. - How do I get the CVE-2025-11371 fix?
Answer: The fix is included in versions 14.x and higher of CentreStack and Triofox, available from the official Gladinet upgrade portal. - How long has this vulnerability been exploited?
Answer: Evidence shows it has been actively exploited as a zero-day since at least late September 2025. - What is the immediate risk to my business?
Answer: The risk is data theft and full system compromise. Attackers can read sensitive files, steal credentials, and use the server as a gateway into your network. - How do I check if I’ve been compromised?
Answer: Check your web server logs for suspicious requests containing../or requests for system files likeweb.config. Also, look for unexpected user accounts or files. - If I am compromised, is patching enough?
Answer: No. If you have been compromised, you must assume the attacker has left a backdoor. The only safe option is to isolate the server and rebuild it from scratch. - Should I shut down my server if I suspect a compromise?
Answer: No. Do not shut it down. Disconnect it from the network to preserve volatile memory (RAM) for forensic analysis. - What is a “zero-day” exploit?
Answer: A zero-day is an attack that exploits a vulnerability on the same day it becomes publicly known, giving defenders “zero days” to prepare. - Can this lead to a ransomware attack?
Answer: Yes. Attackers often use vulnerabilities like this Gladinet zero-day as their initial entry point to deploy ransomware across a network. - What is the first thing I should do after patching?
Answer: After applying the CVE-2025-11371 fix, you should monitor your systems closely for any residual signs of compromise and review your overall CentreStack security posture. - How can I improve my CentreStack security long-term?
Answer: Place your server behind a Web Application Firewall (WAF), restrict public access, implement network segmentation, and enable continuous security monitoring. - What is a Web Application Firewall (WAF)?
Answer: A WAF is a type of firewall that monitors, filters, and blocks malicious HTTP/S traffic to and from a web application, providing a layer of protection against attacks like LFI. - Is Triofox also affected by the Gladinet zero-day?
Answer: Yes, both CentreStack and Triofox are built on the same underlying platform and are both affected by CVE-2025-11371. - What kind of files can an attacker access with this exploit?
Answer: An attacker can potentially access any file that the web server’s user account has permission to read, including application configuration files, password files, and operating system files. - Why is it important to have an incident response plan?
Answer: An incident response plan, like our Incident Response Framework Guide, provides clear, pre-approved steps to take during a crisis, allowing you to respond quickly and effectively instead of panicking. - How can I test my own systems for this vulnerability?
Answer: You can use a web vulnerability scanner or manually craft a test request. However, this should only be done by a qualified professional, as it can be risky. Our Complete Ethical Hacking Guide 2025 covers the basics of such testing. - Where can I find official information on the Gladinet zero-day?
Answer: Always refer to the official security advisories from Gladinet and national cybersecurity agencies like CISA for the most accurate and up-to-date information.
