About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Identifier: CVE-2025-11371
Exploit or Proof of Concept (PoC): Yes — in-the-wild exploitation observed by security researchers
Update: No official vendor patch yet — vendor guidance and researcher mitigations recommended. See vendor advisory and reporting for latest patch status.
Description:
CVE-2025-11371 is an unauthenticated Local File Inclusion (LFI) flaw in default installations and configurations of Gladinet CentreStack and TrioFox (reported in versions up to 16.7.10368.56560). An attacker can read sensitive application files — notably Web.config — which may expose the ASP.NET machine key. With the machine key, an attacker can chain this vulnerability to a ViewState deserialization attack (CVE-2025-30406) to achieve remote code execution (RCE). Security researchers have observed active exploitation, including successful chains that led to code execution even in environments thought to be partially mitigated.
Mitigation Recommendation:
Until an official patch is available, implement recommended mitigations: disable the "temp" handler in Web.config under UploadDownloadProxy (remove the line referencing Gladinet.Cloud.Proxy.TempHandler) to block unauthenticated file reads.
Restrict access to UploadDownloadProxy and related endpoints to trusted networks only (network segmentation, access control lists). Monitor server logs for suspicious read requests to Web.config, unusual base64 ViewState payloads, and unexpected requests to upload/download proxy endpoints.
Prepare to apply vendor-supplied patches immediately when released and validate patch effectiveness against the exploit chain.
If compromise is suspected, take affected servers offline for forensic analysis and restore from known-good backups.