Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September.
Researchers at cybersecurity platform Huntress disclosed the exploitation activity last week saying that the flaw was a bypass for mitigations Gladinet implemented for the deserialization vulnerability leading to remote code execution (RCE) identified as CVE-2025-30406.
The local file inclusion (LFI) vulnerability enabled attackers to read the Web.config file on fully patched CentreStack deployments, extract the machine key, and then use it to exploit CVE-2025-30406.
When Huntress alerted of the zero-day attacks Gladinet provided mitigations for customers and was in the process of developing a patch.
The security update that addresses CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683 and administrators are strongly recommended to install it.
In an update to the original alert, Huntress shares more technical details on CVE-2025-11371 that include a minimal proof-of-concept exploit.
The root cause of the LFI issue is a sanitization failure at the temp-download handler, reachable at /storage/t.dn, which accepts an 's=' parameter, leading to directory traversal.
At the service runs as NT AUTHORITY\SYSTEM and resolves files relative to the temp folder, the flaw allows attackers to read any file the SYSTEM account can access, including Web.config, which contains the ASP.NET machine key.
The vulnerable class
Source: Huntress
... continue reading