Urgent Security Alert: Critical Vulnerability in Gladinet CentreStack and Triofox Actively Exploited
A critical, unpatched vulnerability has been discovered in Gladinet’s CentreStack and Triofox file-sharing platforms. This security flaw, identified as CVE-2025-11371, is currently being exploited by threat actors in the wild, posing a significant and immediate risk to organizations using these self-hosted solutions.
Due to the severity of this vulnerability and the lack of an official security patch, immediate action is required to protect sensitive data and network infrastructure.
Understanding the Threat: What is CVE-2025-11371?
This vulnerability is a critical security flaw that allows an unauthenticated attacker to achieve remote code execution (RCE) on a targeted server. In simple terms, a malicious actor can exploit this weakness over the internet to take full control of your CentreStack or Triofox server without needing any login credentials.
The impact of a successful exploit is severe and can lead to:
- Complete Data Compromise: Attackers can gain unrestricted access to all files and data stored and managed through the platform.
- Ransomware Deployment: Once they have control of the server, threat actors can deploy ransomware, encrypting all your files and demanding a ransom.
- Network Infiltration: The compromised server can be used as a beachhead to move laterally across your internal network, targeting other critical systems.
- Persistent Backdoors: Attackers may install hidden backdoors to maintain long-term access to your network for future attacks or data exfiltration.
Because CentreStack and Triofox are designed to provide remote access to internal file servers and cloud storage, they are high-value targets. A compromise of this single point of entry can unravel an organization’s entire security posture.
Why This Vulnerability is Extremely Dangerous
The primary danger lies in two key factors: its lack of a patch and its active exploitation. When a vulnerability is being used by attackers before a fix is available, it is often referred to as a “zero-day” situation. This means that standard update and patching procedures will not protect your systems.
Organizations are in a race against time to implement mitigation measures before attackers discover their publicly exposed, vulnerable servers. Any internet-facing CentreStack or Triofox instance that has not been secured should be considered at extreme risk of compromise.
Actionable Steps to Mitigate the Risk Immediately
Since there is no official patch available at this time, organizations must take proactive steps to defend their systems. The following mitigation strategies are strongly recommended.
Isolate the Server from the Internet
The most effective immediate step is to take the server offline or place it behind a strict firewall. If your business operations depend on the service, restrict all public access to the web interface. Instead, require users to connect through a secure Virtual Private Network (VPN) to access the platform. This removes the direct attack surface available to external threat actors.Implement IP Whitelisting
If taking the server completely offline is not feasible, implement strict IP address whitelisting. Configure your firewall to only allow connections to the CentreStack/Triofox server from known, trusted IP addresses, such as your main office or the home IPs of key remote employees. This will block scanning and exploitation attempts from unknown sources.Monitor for Signs of Compromise
Assume that your system may have already been targeted. It is crucial to hunt for Indicators of Compromise (IOCs). Security teams should immediately:- Analyze server logs for unusual login attempts, unexpected requests, or strange error messages.
- Examine running processes for any unfamiliar or suspicious applications running on the server.
- Monitor network traffic for unusual outbound connections, which could indicate data exfiltration or communication with a command-and-control server.
Prepare for an Emergency Patch
Continuously monitor official communications from Gladinet for the release of a security patch. Once a patch is available, it must be applied immediately as a top priority. Sign up for security advisories from the vendor to ensure you receive the notification as soon as it is released.
The rise in attacks against remote access and file-sharing solutions highlights the need for a defense-in-depth security strategy. By taking these decisive actions now, you can significantly reduce your organization’s exposure to this critical threat and protect your valuable data from compromise.
Source: https://www.helpnetsecurity.com/2025/10/10/gladinet-centrestack-vulnerability-exploited-cve-2025-11371/
