CVE-2025-11371: 
Gladinet CentreStack vulnerability analysis and mitigation

CVE-2025-11371 is an unauthenticated Local File Inclusion (LFI) vulnerability affecting Gladinet CentreStack and TrioFox file-sharing and remote access platforms. The vulnerability was discovered in September 2025 and affects all versions prior to and including 16.7.10368.56560. The flaw allows unintended disclosure of system files without authentication in the default installation and configuration (Huntress Blog, Help Net Security).

The vulnerability exists in the GladinetStorage.TempDownload function within GSUploadDownloadProxy.dll, which handles requests to the /storage/t.dn endpoint. Because the application runs as NT AUTHORITY\SYSTEM, attackers can use directory traversal characters (..) to retrieve any file relative to C:\Windows\Temp\glad_temp. The vulnerability has a CVSS 3.1 base score of 6.2 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Huntress Blog, Hacker News).

The vulnerability allows attackers to access any file on the file system remotely without authentication. Specifically, attackers can retrieve the machine key from the application's Web.config file, which can then be used to perform remote code execution via ViewState deserialization. This creates a chain of exploitation that could lead to complete system compromise (Help Net Security, Hacker News).

On October 14, 2025, Gladinet released version 16.10.10408.56683 of CentreStack, which includes a fix for the vulnerability. As an immediate workaround, users can disable the temp handler within the Web.config file located at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config. While this will impact some platform functionality, it prevents exploitation until the patch can be applied (Huntress Blog, Help Net Security).