Gladinet CentreStack Zero-Day Exploit Detected: Enterprise File-Sharing Under Active Attack

Security researchers at Huntress have uncovered active exploitation of a previously unknown zero-day vulnerability in Gladinet CentreStack and Triofox enterprise file-sharing products. Tracked as CVE-2025-11371, the flaw allows unauthenticated attackers to achieve remote code execution on vulnerable servers, potentially giving them full control over enterprise systems. The discovery on September 27, 2025, confirmed that at least three organizations had already been compromised, highlighting the speed at which threat actors weaponize new vulnerabilities.

The Threat Landscape

The vulnerability exists in the file-handling mechanisms of both CentreStack and Triofox, products widely used by enterprises for secure file sharing and collaboration. CVE-2025-11371 is an unauthenticated Local File Inclusion flaw that allows attackers to read sensitive files on the server without any credentials. This alone would be concerning, but the true danger emerges when this flaw is combined with a previously patched vulnerability, CVE-2025-30406.

CVE-2025-30406 involved a hardcoded machine key that could be abused for ViewState deserialization attacks, enabling remote code execution. Gladinet had patched this flaw in April 2025. However, the new zero-day allows attackers to bypass that patch entirely. By first exploiting the LFI vulnerability to read the machine key file, attackers can then use that key to perform the same ViewState deserialization attack that was supposed to have been fixed months ago.

This attack chain represents an increasingly common pattern in enterprise security: a bypass vulnerability that renders a previous patch ineffective. Organizations that had applied the April 2025 patch and believed they were protected remain fully vulnerable to this new exploit path. For crypto companies and blockchain enterprises running on Windows infrastructure, this represents a direct threat to operational security.

Core Principles

The incident reinforces several fundamental principles of enterprise security that apply equally to traditional IT and crypto infrastructure. First, defense in depth remains critical. A single security patch is never sufficient protection against determined attackers. Organizations need multiple layers of security controls including network segmentation, intrusion detection, and behavioral monitoring.

Second, file-sharing and collaboration platforms represent high-value targets because they often sit at the intersection of internal networks and external access. An attacker who compromises a CentreStack or Triofox server gains a foothold that can be leveraged to move laterally through the network, potentially reaching cryptocurrency wallets, private keys, or signing infrastructure.

Third, the speed of exploitation matters. Huntress detected the first attacks on September 26, with confirmation of active exploitation across multiple customers by September 27. This timeline suggests either a leak of the vulnerability details or sophisticated threat actors conducting their own vulnerability research. In either case, the window between vulnerability discovery and exploitation continues to shrink.

Tooling and Setup

Huntress has provided a mitigation that involves disabling the temp handler within the UploadDownloadProxy configuration file. Specifically, administrators need to remove a handler line in the web configuration that enables the attack vector. This workaround does disrupt some platform functionality, but it effectively closes the exploit path until Gladinet releases a permanent patch.

For organizations running crypto infrastructure alongside enterprise file-sharing tools, the following setup provides additional protection. Deploy CentreStack and Triofox behind a reverse proxy with strict access controls. Implement network segmentation so file-sharing servers cannot directly access cryptocurrency operations or wallet infrastructure. Enable comprehensive logging and forward security events to a SIEM for real-time analysis.

Additionally, organizations should consider whether CentreStack or Triofox is genuinely necessary for their operations. If file sharing can be achieved through more secure alternatives that receive faster security updates, migrating away from products with a history of critical RCE vulnerabilities may be the more prudent long-term strategy.

Ongoing Vigilance

The CVE-2025-11371 situation is evolving. Gladinet has confirmed awareness of the issue and is reportedly in the process of notifying customers. However, no official patch has been released yet, and the mitigation requires manual configuration changes that may not be straightforward for all administrators.

Organizations should monitor Gladinet’s security advisories for patch announcements and plan immediate deployment once available. In the meantime, the mitigation should be treated as an emergency measure. Security teams should also review logs for any indicators of compromise dating back to September 26, when the first anomalous activity was detected.

The broader lesson for the crypto industry is that operational security extends far beyond smart contracts and blockchain protocols. The infrastructure supporting crypto businesses, from file sharing to email to cloud services, all presents attack surfaces that must be actively managed. A compromised file server can be just as devastating as a smart contract bug when it provides access to private keys or signing infrastructure.

Final Takeaway

The Gladinet CentreStack zero-day is a stark reminder that enterprise infrastructure vulnerabilities can undermine even the most carefully designed blockchain security. Crypto companies must extend their security practices beyond on-chain concerns to encompass every layer of their technology stack. The organizations that survive and thrive in this space are those that treat operational security as a holistic discipline, not one confined to smart contract audits.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making investment decisions.