All news with #gladinet centrestack tag

Thu, October 16, 2025

Gladinet patches zero-day in CentreStack file sharing

#Zero-Day #RCE #Insecure Deserialization #Patch #Security Advisory #Exploit Detected #Gladinet CentreStack

🔒 Gladinet released an urgent update for its CentreStack business solution to fix a local file inclusion flaw tracked as CVE-2025-11371, which was abused in the wild as a zero-day. The LFI allowed attackers to read Web.config, extract the ASP.NET machine key, and then leverage a prior deserialization RCE (CVE-2025-30406) to achieve remote code execution. Administrators should upgrade to CentreStack version 16.10.10408.56683 immediately; if patching is not possible, disable the temp handler in Web.config for the UploadDownloadProxy component as a temporary mitigation.

Fri, October 10, 2025

Zero-Day in Gladinet CentreStack and Triofox Exploited

#Zero-Day #Active Exploitation #RCE #Insecure Deserialization #Local File Inclusion #Gladinet CentreStack

⚠️ Researchers report an actively exploited zero-day (CVE-2025-11371) in Gladinet's CentreStack and Triofox that permits unauthenticated Local File Inclusion (LFI) on default installs, exposing system files and allowing machine-key disclosure. Huntress observed exploitation on Sept 27 with at least three companies targeted. No patch is available yet; Gladinet has issued a workaround to disable a temp handler in the UploadDownloadProxy Web.config, though this may affect some functionality.