CVE DATABASE / CVE-2025-11371
CVE-2025-11371
Gladinet CentreStack and Triofox Files or Directories Accessible to External Parties Vulnerability
Confirmed exploited in the wild. Added 2025-11-04.
Federal remediation due 2025-11-25.
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Summary
In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
CVSS 3.1 breakdown
| Base score | 7.5 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | NONE |
| Availability | NONE |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
- https://www.centrestack.com/p/gce_latest_release.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11371
Data: NIST NVD + CISA KEV. NVD last modified 2025-11-05. Always verify against the vendor advisory before acting.