Gladinet CentreStack/TrioFox LFI (<=16.7.10368.56560)
CVE-2025-11371 Published on October 9, 2025
Gladinet CentreStack and TrioFox Local File Inclusion Flaw
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.
This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
Known Exploited Vulnerability
This Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Gladinet CentreStack and Triofox contains a files or directories accessible to external parties vulnerability that allows unintended disclosure of system files.
The following remediation steps are recommended / required by November 25, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2025-11371 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be. Web servers, FTP servers, and similar servers may store a set of files underneath a "root" directory that is accessible to the server's users. Applications may store sensitive files underneath this root without also using access control to limit which users may request those files, if any. Alternately, an application might package multiple files or directories into an archive file (e.g., ZIP or tar), but the application might not exclude sensitive files that are underneath those directories.
Products Associated with CVE-2025-11371
Want to know whenever a new CVE is published for Gladinet Centrestack? stack.watch will email you.
Affected Versions
Gladinet CentreStack and TrioFox:- Before and including 16.7.10368.56560 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.