Fast Facts

• A zero-day flaw in Gladinet’s CentreStack was exploited in the wild since September 2024.
• The vulnerability (CVE-2025-11371) let attackers read sensitive files, paving the way for remote code execution.
• Security firm Huntress uncovered the exploit and shared technical details and a proof-of-concept.
• Gladinet’s emergency patch is available in CentreStack version 16.10.10408.56683.
• Admins are urged to update or apply a workaround by disabling the vulnerable handler.

The Anatomy of a Modern File-Sharing Breach

Imagine a locked filing cabinet in a busy office. Now imagine someone discovers that by jiggling a drawer just right, they can not only peek at confidential files, but also forge a master key to the entire building. This is the digital drama that unfolded with Gladinet’s CentreStack, a popular business file-sharing platform recently rocked by a zero-day vulnerability - one that hackers wasted no time exploiting.

The flaw, tracked as CVE-2025-11371, is what security experts call a “local file inclusion” (LFI) vulnerability. In simple terms, it’s a loophole that lets outsiders trick the system into handing over files it should keep secret. The most prized loot? The Web.config file, a digital safe containing the keys to the kingdom. Once attackers snagged this file, they could stage a follow-up attack (exploiting a previously known bug, CVE-2025-30406) to run any code they wanted on the target system - essentially hijacking it.

From Proof-of-Concept to Real-World Threat

Huntress, a cybersecurity firm, first observed the exploit in the wild, catching hackers as they sent specially crafted web requests to vulnerable CentreStack servers. The attack was alarmingly simple: by manipulating a web address parameter, attackers could download Web.config, then use its secrets to unleash a remote code execution payload. The system’s flaw was a failure to properly “sanitize” (or clean up) file requests - think of a receptionist who never checks visitor badges.

This attack chain is reminiscent of past breaches, like the infamous Equifax hack of 2017, where a single missed patch and sensitive file exposure led to massive data theft. In the case of CentreStack, the service runs with powerful “SYSTEM” privileges, meaning attackers could access almost anything on the server.

Patch Now or Face the Consequences

Gladinet responded at breakneck speed, releasing a fix in version 16.10.10408.56683 and urging all users to update immediately. For those unable to upgrade, a workaround is available: disabling the vulnerable temp handler in the configuration file. But as every security expert knows, workarounds are only ever a stopgap.

The incident underscores a wider truth in today’s digital ecosystem: business file-sharing tools are enticing targets, and even well-meaning security measures can be sidestepped by clever attackers. As organizations increasingly rely on cloud and on-premise collaboration, the stakes - and the risks - only grow.

WIKICROOK

• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• Local File Inclusion (LFI): Local File Inclusion (LFI) is a security flaw that allows attackers to trick a web app into loading files from its own server, risking data exposure.
• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Web.config: Web.config is a configuration file for IIS web applications on Windows servers, storing security settings, access controls, and sensitive data.
• Deserialization Vulnerability: A deserialization vulnerability lets attackers run malicious code by sending specially crafted data that tricks a program during data processing.