CVE-2025-11371

Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371)

Collection Exfiltration Last updated:

Detects exploitation of CVE-2025-11371, a CWE-552 vulnerability in Gladinet CentreStack and Triofox where files or directories are accessible to external parties without proper authorization. This CISA KEV-listed vulnerability allows unauthenticated or unauthorized actors to access sensitive files and directories exposed by the affected file-sharing platform.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Gladinet
Product
CentreStack and Triofox

Weakness (CWE)

CWE-552

Timeline

Disclosed
November 4, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2025-11371 Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371)?

Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371) (CVE-2025-11371) maps to the Collection and Exfiltration tactics — the adversary is trying to gather data of interest to their goal in MITRE ATT&CK.

This page provides production-ready detection logic for Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, IIS Logs, Azure Monitor. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Collection Exfiltration
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, DeviceFileEvents, W3CIISLog
| where TimeGenerated > ago(24h)
| where (
    (ActionType in ("ConnectionSuccess", "InboundConnectionAccepted") and RemoteIPType == "Public" and LocalPort in (80, 443, 8080, 8443))
    or (csUriStem has_any ("/storage/", "/files/", "/share/", "/download/", "/content/") and sc-status in (200, 206))
    or (csUriStem matches regex @"(?i)/(\.\.[\/\\]|%2e%2e[\/\\]|%252e%252e)")
  )
| where DeviceName has_any ("centrestack", "triofox") or csHost has_any ("centrestack", "triofox")
| extend SuspiciousPath = iff(csUriStem matches regex @"(?i)/(windows|system32|etc/passwd|proc/|boot\.ini|\.ssh/|web\.config)", true, false)
| project TimeGenerated, DeviceName, RemoteIP, csUriStem, csMethod, sc-status, SuspiciousPath, csUserAgent
| order by TimeGenerated desc

Detects HTTP requests to Gladinet CentreStack or Triofox servers indicative of unauthorized file/directory enumeration or access, including path traversal patterns and access to sensitive system paths.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint IIS Logs Azure Monitor

Required Tables

DeviceNetworkEvents DeviceFileEvents W3CIISLog

False Positives

  • Legitimate authenticated users accessing shared files through the CentreStack or Triofox portal
  • Automated backup or sync clients making bulk file access requests
  • Security scanners or vulnerability assessment tools running authorized scans against the server
  • CDN or reverse proxy health checks accessing content endpoints

Sigma rule & cross-platform mapping

The detection logic for Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371) (CVE-2025-11371) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-11371 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-11371

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated File Enumeration via CentreStack Storage Endpoint

    Expected signal: IIS access logs will show HTTP GET requests to /storage/, /files/, /share/ etc. from the test IP with no authentication headers. Responses of 200/206 indicate the vulnerability is present.

  2. Test 2Path Traversal Attempt Against CentreStack File Server

    Expected signal: Web server logs will contain requests with URL-encoded traversal sequences. Windows Security Event Log Event ID 4663 may fire if file auditing is enabled and a real file is accessed.

  3. Test 3Bulk File Download Simulation from External IP

    Expected signal: IIS logs will show high-volume sequential GET requests from a single external IP with large response sizes (sc-bytes). Network flow data will show sustained outbound data transfer to the test IP.

Unlock Pro Content

Get the full detection package for CVE-2025-11371 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0009CollectionTA0010Exfiltration

Related Techniques

T1083File and Directory DiscoveryT1530Data from Cloud StorageT1190Exploit Public-Facing Application

Same Tactic: Collection

Popular Detections