Gladinet CentreStack Zero-Day: Anatomy of an Actively Exploited LFI Vulnerability

A single overlooked flaw in a widely used file-sharing platform can open the door to a cascade of security nightmares. This was the case with Gladinet’s CentreStack, where a zero-day vulnerability (CVE-2025-11371) allowed attackers to slip past defenses and access sensitive files, including the all-important Web.config file. The vulnerability, a local file inclusion (LFI) bug, was actively exploited before a patch could be released, highlighting just how quickly threat actors can move when opportunity knocks. Attackers leveraged this flaw to bypass mitigations for an earlier deserialization vulnerability, gaining access to files with the same privileges as the powerful NT AUTHORITY\SYSTEM account. The result? Potential exposure of encryption keys, unauthorized data access, and a real risk of further system compromise (BleepingComputer).

The CentreStack incident is a textbook example of why timely patching and proactive security measures are non-negotiable. It also serves as a wake-up call for organizations relying on third-party software, reminding us that the software supply chain is only as strong as its weakest link. As attackers continue to exploit zero-days with increasing speed and sophistication, the need for robust threat intelligence and rapid incident response has never been clearer (BleepingComputer).

Understanding the Zero-Day Vulnerability and Its Exploitation

Nature of the Zero-Day Vulnerability

The zero-day vulnerability identified in Gladinet’s CentreStack software, specifically CVE-2025-11371, is a local file inclusion (LFI) flaw. This vulnerability was actively exploited by threat actors before a patch was released, making it a significant security concern. The LFI vulnerability allowed attackers to read sensitive files on the system, such as the Web.config file, which contains critical information like the ASP.NET machine key. This key is essential for the security of web applications as it is used for encryption and decryption processes. The ability to access such a file can lead to severe security breaches, including unauthorized data access and potential system control. (BleepingComputer)

Exploitation Techniques

The exploitation of CVE-2025-11371 involved a bypass of existing mitigations for a previously identified deserialization vulnerability, CVE-2025-30406, which could lead to remote code execution (RCE). This exploitation was facilitated by a failure in input sanitization at the temp-download handler, accessible via the /storage/t.dn endpoint. Attackers could manipulate the ‘s=’ parameter to achieve directory traversal, allowing them to read files accessible to the NT AUTHORITY\SYSTEM account. This level of access is particularly dangerous because it grants attackers the ability to read any file the system account can access, potentially leading to further exploitation and system compromise. (Huntress)

Impact on Affected Systems

The impact of the zero-day vulnerability on affected systems is substantial. By exploiting the LFI vulnerability, attackers could gain access to sensitive configuration files, which could be leveraged to further exploit the system. The ability to read the Web.config file, for instance, could allow attackers to decrypt sensitive data, manipulate application settings, or even execute arbitrary code if combined with other vulnerabilities. This could lead to data breaches, unauthorized access to sensitive information, and potential disruption of services. The fact that the vulnerability was actively exploited before a patch was released underscores the importance of timely security updates and vulnerability management. (BleepingComputer)

Mitigation and Remediation Strategies

In response to the discovery and active exploitation of the zero-day vulnerability, Gladinet released a security update for CentreStack, version 16.10.10408.56683, which addresses the LFI vulnerability. Administrators are strongly advised to apply this update to protect their systems from potential exploitation. For those unable to immediately install the update, a temporary mitigation involves disabling the temp-download handler in the Web.config file for the UploadDownloadProxy component. This can be achieved by removing the line that defines it in the configuration file, effectively preventing the directory traversal attack vector. These mitigation strategies are crucial for reducing the risk of exploitation and protecting sensitive data. (BleepingComputer)

Broader Implications for Cybersecurity

The discovery and exploitation of the zero-day vulnerability in Gladinet’s CentreStack software highlight several broader implications for cybersecurity. First, it underscores the importance of proactive security measures, such as regular vulnerability assessments and timely application of security patches. Organizations must prioritize security updates and ensure that their systems are protected against known vulnerabilities. Second, the incident illustrates the potential risks associated with software supply chains, as vulnerabilities in widely used software can have far-reaching impacts. Finally, the exploitation of the vulnerability before a patch was available highlights the need for effective threat intelligence and incident response capabilities to detect and mitigate zero-day attacks in real-time. These broader implications emphasize the need for a comprehensive and proactive approach to cybersecurity to protect against emerging threats. (BleepingComputer)

Final Thoughts

The Gladinet CentreStack zero-day episode underscores a hard truth: even trusted platforms can become vectors for serious breaches if vulnerabilities go unpatched. The swift exploitation of CVE-2025-11371 demonstrates how attackers are constantly probing for weaknesses, often outpacing defenders. Gladinet’s rapid release of a security update and the availability of temporary mitigations were crucial in limiting the fallout, but the incident reinforces the importance of layered defenses, regular vulnerability assessments, and a culture of security-first thinking (BleepingComputer).

As organizations increasingly depend on interconnected software ecosystems, the risks posed by zero-days and supply chain vulnerabilities will only grow. Staying ahead means not just patching quickly, but also investing in real-time monitoring, employee awareness, and adaptive security strategies. The CentreStack case is a timely reminder: in cybersecurity, vigilance is the best defense.

References

• Gladinet fixes actively exploited zero-day in file sharing software (2025). BleepingComputer. https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-exploited-zero-day-in-file-sharing-software/