A critical zero-day vulnerability in Gladinet CentreStack and Triofox products is currently under active exploitation, posing a significant threat to organizations utilizing these file synchronization and sharing solutions. Tracked as CVE-2025-11371, this unauthenticated Local File Inclusion (LFI) flaw can lead directly to Remote Code Execution (RCE) on vulnerable systems. While a patch is not yet available, a mitigation strategy has been provided.

Understanding the Zero-Day Threat

A zero-day vulnerability refers to a software flaw unknown to the vendor and for which no patch exists. The severity of CVE-2025-11371 is amplified by its active exploitation in the wild, meaning attackers are already leveraging this weakness to compromise systems. The vulnerability specifically targets Gladinet CentreStack and Triofox, products designed to provide enterprise-grade file sync and share capabilities, often handling sensitive data.

The Mechanics of CVE-2025-11371: LFI to RCE

The core of this vulnerability is an unauthenticated Local File Inclusion (LFI) flaw. LFI vulnerabilities allow attackers to include local files on the server into the web application’s output. In the context of CVE-2025-11371, this LFI can be leveraged by an attacker without requiring any authentication. By manipulating file paths, an attacker can access sensitive files, configuration data, or even inject malicious code into a file that is then executed by the server. The jump from LFI to Remote Code Execution (RCE) is critical; once RCE is achieved, attackers can execute arbitrary commands on the compromised server, potentially leading to data breaches, system control, and further network infiltration.

Affected Products and Impact

The vulnerability impacts both Gladinet CentreStack and Triofox solutions. These products are integral to many organizations’ data management and collaboration workflows. A successful RCE exploit could have severe consequences, including:

• Data Breaches: Attackers can access, exfiltrate, or manipulate sensitive corporate and customer data.
• System Compromise: Full control over the affected server, potentially expanding to other systems within the network.
• Disruption of Operations: Malicious actions could lead to service outages or data corruption.
• Reputational Damage: Significant harm to an organization’s trust and standing.

Remediation Actions for CVE-2025-11371

Given the active exploitation and the absence of an official patch, immediate action is paramount. Organizations using Gladinet CentreStack or Triofox must implement the provided mitigation strategy without delay.

• Implement Vendor-Provided Mitigation: Adhere strictly to the mitigation steps outlined by Gladinet. While precise details of the mitigation would come from the vendor, typical LFI mitigations often involve restricting file access permissions, validating input, and filtering dangerous characters in file paths.
• Isolate Affected Systems: If immediate mitigation is not feasible, isolate systems running CentreStack and Triofox from the broader network to contain potential breaches.
• Monitor for Suspicious Activity: Enhance monitoring for any unusual activity originating from or targeting CentreStack/Triofox servers. Look for unauthorized file access, unusual process execution, or outbound connections.
• Review Access Logs: Scrutinize logs for any indicators of compromise (IOCs) that might suggest a previous exploitation attempt.
• Prepare for Patch Deployment: Stay informed about Gladinet’s official patch release and be ready to apply it immediately once available.

Tools for Detection and Mitigation

While an official patch for CVE-2025-11371 is pending, various security tools can assist in detecting potential exploitation attempts and bolstering overall defensive posture against LFI and RCE attacks.

Tool Name	Purpose	Link
Web Application Firewalls (WAFs)	Detect and block LFI attempts by filtering malicious input and unusual URL patterns.	OWASP ModSecurity CRS
Intrusion Detection/Prevention Systems (IDS/IPS)	Identify and prevent network-based attacks leveraging LFI and RCE exploit patterns.	Snort
Endpoint Detection and Response (EDR) Solutions	Monitor system processes, file access, and network connections for signs of compromise post-exploitation.	CISA EDR Resources
Log Management & SIEM Solutions	Collect, analyze, and correlate logs to detect suspicious activity and indicators of compromise.	Elastic SIEM

Conclusion

The active exploitation of CVE-2025-11371 in Gladinet CentreStack and Triofox products represents a critical threat. The ability for an unauthenticated attacker to achieve Remote Code Execution through a Local File Inclusion vulnerability demands immediate attention. Organizations utilizing these products must prioritize the implementation of the vendor-provided mitigation, enhance their monitoring capabilities, and prepare for the deployment of a future official patch. Proactive defense and a rapid response are essential to protect against this zero-day threat.