Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September.
Researchers at cybersecurity platform Huntress disclosed the exploitation activity last week saying that the flaw was a bypass for mitigations Gladinet implemented for the deserialization vulnerability leading to remote code execution (RCE) identified as CVE-2025-30406.
The local file inclusion (LFI) vulnerability enabled attackers to read the Web.config file on fully patched CentreStack deployments, extract the machine key, and then use it to exploit CVE-2025-30406.
When Huntress alerted of the zero-day attacks Gladinet provided mitigations for customers and was in the process of developing a patch.
The security update that addresses CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683 and administrators are strongly recommended to install it.
In an update to the original alert, Huntress shares more technical details on CVE-2025-11371 that include a minimal proof-of-concept exploit.
The root cause of the LFI issue is a sanitization failure at the temp-download handler, reachable at /storage/t.dn, which accepts an ‘s=’ parameter, leading to directory traversal.
At the service runs as NT AUTHORITYSYSTEM and resolves files relative to the temp folder, the flaw allows attackers to read any file the SYSTEM account can access, including Web.config, which contains the ASP.NET machine key.
Source: Huntress
With this key, attackers can forge a malicious ViewState payload that can be deserialized by the server due to CVE-2025-30406, leading to remote code execution.
In the wild, Huntress observed HTTP requests to ‘/storage/t.dn?s=…’ returning Web.config, followed by base64-encoded POST payloads triggering command execution on the targets.
Huntress published a one-line PowerShell Invoke-WebRequest example showing how an unauthenticated request to’/storage/t.dn?s=…’ can be used to retrieve Web.config.
Source: Huntress
However, the researchers did not release the full exploit chain including the earlier deserialization RCE (CVE-2025-30406).
Potentially impacted users are recommended to upgrade to CentreStack version 16.10.10408.56683.
If installing the new version is not possible, a mitigation is to disable the temp handler in the Web.config file for the UploadDownloadProxy component by removing the line that defines it in the file.
Join the Breach and Attack Simulation Summit and experience the future of security validation. Hear from top experts and see how AI-powered BAS is transforming breach and attack simulation.
Don’t miss the event that will shape the future of your security strategy
