Hackers Exploit LFI Flaw in File-Sharing Platforms

Hackers are exploiting a flaw permitting them to entry with out authentication doc root folder recordsdata in file-sharing and remote-access software program, the place they receive entry tokens and passwords to unlock distant entry to company file methods, warn researchers.

See Additionally: Combatting the Vulnerability Prioritization Problem: A Information to DVE Intelligence

Cybersecurity firm Huntress discovered that Gladinet CentreStack and Triofox platforms had been susceptible to a neighborhood file inclusion vulnerability. Tracked as CVE-2025-11371, the problem permits distant attackers to reap the benefits of how net purposes typically name server-side recordsdata. Huntress stated it has noticed in-the-wild exploitation concentrating on uncovered cases.

Attackers started scanning and concentrating on susceptible methods at the very least per week earlier than public disclosure, the corporate stated. The agency stated greater than 6,000 cases of Gladinet CentreStack and Triofox had been uncovered to the web on the time of its investigation, which started Sept. 27.

The flaw is an unauthenticated native file-inclusion bug that allows an attacker request and browse recordsdata from the appliance’s filesystem with out logging in. Attackers can merely provide specifically crafted enter to the affected net endpoints and retrieve arbitrary server recordsdata – for instance, configuration recordsdata that comprise cryptographic keys, entry tokens or passwords. Huntress stated exploiters have used the native file inclusion flaw to learn the appliance’s net.config and extract the machine key, which in flip could be abused to forge a malicious ViewState and obtain distant code execution.

As a result of the vulnerability requires no authentication and impacts internet-facing installs, profitable exploitation can instantly expose credentials and delicate configuration information, allow unauthorized entry to company file methods and be chained to execute code on the server.

Huntress technical evaluation confirmed the assault path used a brief handler within the UploadDownloadProxy element to set off file reads. Eradicating that handler from UploadDownloadProxyWeb.config blocks the native file inclusion path.

The identical cybersecurity agency had earlier https://www.huntress.com/weblog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild” goal=”_blank”>uncovered one other crucial flaw – CVE-2025-30406 – within the Gladinet CentreStack and Triofox platforms. That bug allowed distant code execution, giving attackers management over susceptible servers. Huntress stated each vulnerabilities stem from comparable weaknesses in how the software program processes user-supplied enter, underscoring persistent safety gaps within the merchandise’ design.