Hackers Exploit LFI Flaw in File-Sharing Platforms

Hackers are exploiting a flaw permitting them to entry with out authentication doc root folder information in file-sharing and remote-access software program, the place they receive entry tokens and passwords to unlock distant entry to company file methods, warn researchers.

See Additionally: Combatting the Vulnerability Prioritization Problem: A Information to DVE Intelligence

Cybersecurity firm Huntress discovered that Gladinet CentreStack and Triofox platforms had been weak to a neighborhood file inclusion vulnerability. Tracked as CVE-2025-11371, the difficulty permits distant attackers to benefit from how internet purposes typically name server-side information. Huntress stated it has noticed in-the-wild exploitation focusing on uncovered cases.

Attackers started scanning and focusing on weak methods at the least per week earlier than public disclosure, the corporate stated. The agency stated greater than 6,000 cases of Gladinet CentreStack and Triofox had been uncovered to the web on the time of its investigation, which started Sept. 27.

The flaw is an unauthenticated native file-inclusion bug that allows an attacker request and browse information from the applying’s filesystem with out logging in. Attackers can merely provide specifically crafted enter to the affected internet endpoints and retrieve arbitrary server information – for instance, configuration information that include cryptographic keys, entry tokens or passwords. Huntress stated exploiters have used the native file inclusion flaw to learn the applying’s internet.config and extract the machine key, which in flip could be abused to forge a malicious ViewState and obtain distant code execution.

As a result of the vulnerability requires no authentication and impacts internet-facing installs, profitable exploitation can instantly expose credentials and delicate configuration knowledge, allow unauthorized entry to company file methods and be chained to execute code on the server.

Huntress technical evaluation confirmed the assault path used a short lived handler within the UploadDownloadProxy element to set off file reads. Eradicating that handler from UploadDownloadProxyWeb.config blocks the native file inclusion path.

The identical cybersecurity agency had earlier https://www.huntress.com/weblog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild” goal=”_blank”>uncovered one other important flaw – CVE-2025-30406 – within the Gladinet CentreStack and Triofox platforms. That bug allowed distant code execution, giving attackers management over weak servers. Huntress stated each vulnerabilities stem from related weaknesses in how the software program processes user-supplied enter, underscoring persistent safety gaps within the merchandise’ design.