Cyber Posture

CVE-2025-11371

HighCISA KEVActive ExploitationPublic PoC

Published: 09 October 2025

Published
09 October 2025
Modified
05 November 2025
KEV Added
04 November 2025
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7008 98.7th percentile
Risk Priority 77 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11371 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Gladinet Centrestack. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific unauthenticated LFI vulnerability by requiring timely identification, reporting, and patching of the flaw in Gladinet CentreStack and TrioFox.

SI-10 Information Input Validation good match
prevent

Prevents LFI exploitation by enforcing validation of inputs, such as file paths, to block unauthorized traversal and disclosure of system files.

CM-6 Configuration Settings good match
prevent

Addresses the vulnerability in default installations by mandating secure configuration settings that restrict unauthenticated access to system files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
attack.mitre.org →
Why these techniques?

Unauthenticated LFI vulnerability in public-facing Gladinet CentreStack/Triofox enables remote exploitation for initial access (T1190) and arbitrary disclosure of local system files, facilitating data collection from local system (T1005) and file/directory discovery (T1083).

NVD Description

In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet…

more

CentreStack and Triofox: All versions prior to and including 16.7.10368.56560

Deeper analysisAI

CVE-2025-11371 is an unauthenticated Local File Inclusion flaw (CWE-552) present in the default installation and configuration of Gladinet CentreStack and TrioFox. This vulnerability enables unintended disclosure of system files. It affects all versions of these products prior to and including 16.7.10368.56560, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers require no authentication or privileges to exploit this issue over the network with low complexity and no user interaction. Successful exploitation allows attackers to read sensitive system files, resulting in high confidentiality impact but no disruption to integrity or availability.

Advisories and mitigation details are provided in the Huntress analysis at https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw, CentreStack's latest release notes at https://www.centrestack.com/p/gce_latest_release.html, and the CISA Known Exploited Vulnerabilities catalog entry at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11371.

Exploitation of CVE-2025-11371 has been observed in the wild.

Details

CWE(s)
CWE-552
KEV Date Added
04 November 2025

Affected Products

gladinet
centrestack
≤ 16.10.10408.56683
gladinet
triofox
≤ 16.7.10368.56560

CVEs Like This One

CVE-2025-14611Same product: Gladinet Centrestackboth on KEV
CVE-2025-12480Same product: Gladinet Triofoxboth on KEV
CVE-2026-35446Shared CWE-552
CVE-2025-69428Shared CWE-552
CVE-2025-26525Shared CWE-552
CVE-2026-34392Shared CWE-552
CVE-2024-48864Shared CWE-552
CVE-2026-2331Shared CWE-552
CVE-2025-2147Shared CWE-552
CVE-2025-27147Shared CWE-552

References