CentreStack and TrioFox - Arbitrary File Read (CVE-2025-11371)

CVE-2025-11371 is a local file inclusion vulnerability in the default installation of Gladinet CentreStack and TrioFox, allowing unauthenticated attackers to access sensitive system files. This flaw, which has been actively exploited in the wild, could lead to unintended disclosure of confidential information and facilitate further attacks against affected systems.

CrowdSec has been tracking this vulnerability and its exploits since 29th of October 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-11371 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-11371 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-11371 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit this vulnerability by sending requests to URLs containing /storage/t.dn with the s parameter set to Windows-style path traversal sequences (e.g., ..%5C..%5C..%5C) to access sensitive files such as Web.config.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

・

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

CentreStack and TrioFox - Arbitrary File Read (CVE-2025-11371)

Exploitation

Detected IPs

Common Weakness Enumeration (CWE)

Protection

Blocklist

References