Gladinet, TrioFox flaw under active exploitation

Attacks targeting Gladinet CentreStack and TrioFox instances impacted by the medium-severity unauthenticated local file inclusion flaw, tracked as CVE-2025-11371, have been underway since late September, The Hacker News reports. Threat actors could harness the new vulnerability to fetch the application Web[.]config file's machine key and then exploit the older critical deserialization bug, tracked as CVE-2025-30406, to achieve remote code execution, according to Huntress researchers. Organizations leveraging vulnerable CentreStack and TrioFox apps have been urged by researchers to deactivate the UploadDownloadProxy Web[.]config file's "temp" handler while awaiting an official patch. Such a process may affect platform functionality but prevent exploitation amid confirmed compromises, researchers noted. "It's unclear if these are the same threat actors, but I wouldn't be surprised since they would have already been familiar with this particular piece of software and they could have found this new vulnerability with minimal effort," said Huntress Director of Adversary Tactics Jamie Levy.