CVE-2025-11371

HIGH KEV NUCLEI

Gladinet CentreStack/Triofox Path Traversal

Title source: metasploit

Exploitation Summary

CVE-2025-11371 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 4, 2025. EIP tracks 2 public exploits from researchers including halilkirazkaya, lap1nou. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes specific HTTP requests or commands to exploit the vulnerabilities.

Description

In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560

Exploits (2)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2025/CVE-2025-11371.md

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. Each PoC includes specific HTTP requests or commands to exploit the vulnerabilities.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, etc.)

No auth needed

Prerequisites: Network access to the target system · Specific software versions as listed in each CVE

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC 1 stars

by lap1nou · pythonremote

https://github.com/lap1nou/CVE-2025-11371

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-11371, leveraging a local file inclusion (LFI) vulnerability to extract decryption and validation keys from a web.config file, then using ysoserial.net to generate a malicious ViewState payload for remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Triofox (specific version not specified)

No auth needed

Prerequisites: Access to the target URL · ysoserial.net tool installed · Wine for running ysoserial.exe

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Gladinet CentreStack & TrioFox - Local File Inclusion

MEDIUMVERIFIEDby Kazgangap

Shodan: title:"CentreStack"

FOFA: CentreStack - Login

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw

Release Notes

https://www.centrestack.com/p/gce_latest_release.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11371

Scores

CVSS v3 7.5

EPSS 0.6765

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact partial

Details

CISA KEV 2025-11-04

VulnCheck KEV 2025-10-09

ENISA EUVD EUVD-2025-33408

CWE

CWE-552

Status published

Products (2)

gladinet/centrestack < 16.10.10408.56683

gladinet/triofox < 16.7.10368.56560

Published Oct 09, 2025

KEV Added Nov 04, 2025

Tracked Since Feb 18, 2026