dark
Hand-Picked Top-Read Stories
Trending Tags
2 minute read

From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability

info@thehackernews.com (The Hacker News)
October 10, 2025
Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and
Total
0
Shares
0
0
0
Gladinet and TrioFox Vulnerability

Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products.

The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560.

Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far.

It’s worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation.

DFIR Retainer Services

CVE-2025-11371, per Huntress, “allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability. Additional details of the flaw are being withheld in light of active exploration and in the absence of a patch.

In one instance investigated by the company, the affected version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406, suggesting that attackers could exploit earlier versions and use the hard-coded machine key to execute code remotely via the ViewState deserialization flaw.

In the interim, users are recommended to disable the “temp” handler within the Web.config file for UploadDownloadProxy located at “C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config.”

“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond said.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Share 0
Tweet 0
Share 0
Share 0
Share 0
Previous Post

CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

October 10, 2025
Next Post

The AI SOC Stack of 2026: What Sets Top-Tier Platforms Apart?

October 10, 2025
Related Posts
3 min

Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike

A suspected cyber espionage activity cluster that was previously found targeting global government and private sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese state-sponsored threat actor. Recorded Future, which was tracking the activity under the moniker TAG-100, has now graduated it to a hacking group dubbed RedNovember.
info@thehackernews.com (The Hacker News)
September 24, 2025
Read More
3 min

Bridging the Remediation Gap: Introducing Pentera Resolve

From Detection to Resolution: Why the Gap Persists A critical vulnerability is identified in an exposed cloud asset. Within hours, five different tools alert you about it: your vulnerability scanner, XDR, CSPM, SIEM, and CMDB each surface the issue in their own way, with different severity levels, metadata, and context. What’s missing is a system of action. How do you transition from the
info@thehackernews.com (The Hacker News)
October 22, 2025
Read More
3 min

A New Security Layer for macOS Takes Aim at Admin Errors Before Hackers Do

A design firm is editing a new campaign video on a MacBook Pro. The creative director opens a collaboration app that quietly requests microphone and camera permissions. MacOS is supposed to flag that, but in this case, the checks are loose. The app gets access anyway. On another Mac in the same office, file sharing is enabled through an old protocol called SMB version one. It’s fast and
info@thehackernews.com (The Hacker News)
October 30, 2025
Read More