{"id":14946,"date":"2025-10-13T18:24:20","date_gmt":"2025-10-13T18:24:20","guid":{"rendered":"https:\/\/newestek.com\/?p=14946"},"modified":"2025-10-13T18:24:20","modified_gmt":"2025-10-13T18:24:20","slug":"gladinet-file-sharing-zero-day-brings-patched-flaw-back-from-the-dead","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14946","title":{"rendered":"Gladinet file sharing zero-day brings patched flaw back from the dead"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Criminals have been spotted exploiting a new zero-day vulnerability in Gladinet CentreStack and Triofox file sharing servers that could allow them to re-create the conditions of an earlier flaw patched in April, security company Huntress <a href=\"https:\/\/www.huntress.com\/blog\/gladinet-centrestack-triofox-local-file-inclusion-flaw\" target=\"_blank\" rel=\"noreferrer noopener\">has warned<\/a>.<\/p>\n<p>Normally, organizations patch a flaw and assume they\u2019re done until the next issue arises. In the case of <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-11371\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-11371<\/a>, an unauthenticated local file inclusion vulnerability, things are likely to be more complicated.<\/p>\n<p>Huntress discovered CVE-2025-11371 on September 27 when a detector in the company\u2019s managed security operations center (SOC) issued an alert for the successful exploitation of CentreStack in a customer\u2019s software.<\/p>\n<p>At first, the engineers assumed this was connected to a <a href=\"https:\/\/www.csoonline.com\/article\/3964214\/update-these-two-servers-from-gladinet-immediately-cisos-told.html\">previous zero-day<\/a> in the same software that the company publicized in April, a ViewState deserialization vulnerability allowing remote code execution (RCE), tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-30406\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-30406<\/a>.<\/p>\n<p>However, engineers discovered that the targeted customer was running a version of CentreStack patched against that vulnerability. Further analysis revealed that the latest detection was a completely new vulnerability that had been used against three of Huntress\u2019s customers.<\/p>\n<h2 class=\"wp-block-heading\" id=\"tale-of-two-flaws\">Tale of two flaws<\/h2>\n<p>The underlying problem revealed by April\u2019s CVE-2025-30406 was that CentreStack and Triofox relied on a hardcoded machineKey. A prerequisite for exploiting this flaw was that the attackers had to discover this machineKey, made easier because every installation used the same one.<\/p>\n<p>A patch updated this so that every new installation generated its own key, leaving admins to manually cycle existing keys.<\/p>\n<p>How does this relate to CVE-2025-11371? As Huntress explained, the new flaw \u201callowed a threat actor to retrieve the machineKey from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability [CVE-2025-30406].\u201d<\/p>\n<p>In other words, by exploiting the new flaw attackers can get their hands on the necessary machineKey, including ones that were changed as part of the CVE-2025-30406 fix.<\/p>\n<p>So, CVE-2025-11371, while different from CVE-2025-30406, could be used as a roundabout way to re-enable a key part of what made April\u2019s flaw dangerous.<\/p>\n<h2 class=\"wp-block-heading\" id=\"what-to-do\">What to do<\/h2>\n<p>All versions of CentreStack and Triofox file sharing servers up to and including 16.7.10368.56560 are vulnerable to CVE-2025-11371.<\/p>\n<p>The bad news is that Gladinet has yet to issue a patch for this, which means that for the time being the best customers can do is to apply the recommended mitigation.<\/p>\n<p>Luckily, according to Huntress, it\u2019s fairly simple: disable the temp handler within the Web.config file for UploadDownloadProxy located at:<\/p>\n<p><em>C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config<\/em><\/p>\n<p>\u201cThis will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,\u201d said Huntress.<\/p>\n<p>Gladinet seems to have discovered the flaw independently of Huntress via a mutual customer and is notifying other customers of the mitigation.<\/p>\n<p>The flaw\u2019s discovery reinforces that good SOC controls can often pick up exploits even when the flaw being exploited is unknown. In this case, it was \u201can irregular base64 payload being executed as a child of a web server process,\u201d said the Huntress alert.<\/p>\n<p>\u201cDon\u2019t assume that being \u2018fully patched\u2019 means being secure,\u201d Huntress director of adversary tactics, Jamie Levy, told CSO Oline.<\/p>\n<p>\u201cThe new Gladinet local file inclusion flaw shows how post-patch regressions can reintroduce critical risk paths. When in doubt, isolate or disable vulnerable handlers immediately, even at the cost of some functionality, to close exploit windows until the vendor releases a validated patch,\u201d he said.<\/p>\n<p>File sharing and file transfer systems are now a regular target for attackers looking to steal data for extortion, recent examples of which include a vulnerability <a href=\"https:\/\/www.csoonline.com\/article\/4060276\/fortra-patches-critical-goanywhere-mft-flaw-akin-to-past-ransomware-exploits.html\">in Fortra\u2019s GoAnywhere MFT software<\/a>, and the 2023 attack affecting 2,600 organizations using <a href=\"https:\/\/www.csoonline.com\/article\/1248857\/moveit-carnage-continues-with-over-2600-organizations-and-77m-people-impacted-so-far.html\">the MOVEit file transfer service<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Criminals have been spotted exploiting a new zero-day vulnerability in Gladinet CentreStack and Triofox file sharing servers that could allow them to re-create the conditions of an earlier flaw patched in April, security company Huntress has warned. Normally, organizations patch a flaw and assume they\u2019re done until the next issue arises. In the case of CVE-2025-11371, an unauthenticated local file inclusion vulnerability, things are likely&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14946\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14946","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14946","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14946"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14946\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}