Detect Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371) in Splunk
Detects exploitation of CVE-2025-11371, a CWE-552 vulnerability in Gladinet CentreStack and Triofox where files or directories are accessible to external parties without proper authorization. This CISA KEV-listed vulnerability allows unauthenticated or unauthorized actors to access sensitive files and directories exposed by the affected file-sharing platform.
MITRE ATT&CK
- Tactic
- Collection Exfiltration
SPL Detection Query
index=web OR index=iis OR index=proxy
(sourcetype="iis" OR sourcetype="ms:iis:auto" OR sourcetype="access_combined")
| where match(uri_path, "(?i)/(storage|files|share|download|content|data)/") OR match(uri_path, "(?i)(%2e%2e|\.\.[\/\\])")
| where (status=200 OR status=206 OR status=301 OR status=302)
| eval is_traversal=if(match(uri_path, "(?i)(\.\.[\/\\]|%2e%2e|%252e%252e)"), "true", "false")
| eval sensitive_path=if(match(uri_path, "(?i)(windows|system32|etc.passwd|proc|boot\.ini|\.ssh|web\.config|appsettings|connectionstring)"), "true", "false")
| eval external_src=if(NOT match(src_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"), "true", "false")
| where external_src="true"
| stats count AS request_count, values(uri_path) AS accessed_paths, dc(uri_path) AS unique_paths, earliest(_time) AS first_seen, latest(_time) AS last_seen BY src_ip, dest, http_method, is_traversal, sensitive_path
| where request_count > 5 OR is_traversal="true" OR sensitive_path="true"
| sort -request_countDetects external parties accessing file/directory endpoints on Gladinet CentreStack or Triofox servers, including path traversal attempts and access to sensitive configuration paths.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate remote workers accessing shared files via the web interface
- Mobile sync clients from external IPs performing bulk downloads
- Partner organization file sharing activity via authenticated sessions
- Web crawlers or search engine indexing public-facing portions of the site
Other platforms for CVE-2025-11371
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated File Enumeration via CentreStack Storage Endpoint
Expected signal: IIS access logs will show HTTP GET requests to /storage/, /files/, /share/ etc. from the test IP with no authentication headers. Responses of 200/206 indicate the vulnerability is present.
- Test 2Path Traversal Attempt Against CentreStack File Server
Expected signal: Web server logs will contain requests with URL-encoded traversal sequences. Windows Security Event Log Event ID 4663 may fire if file auditing is enabled and a real file is accessed.
- Test 3Bulk File Download Simulation from External IP
Expected signal: IIS logs will show high-volume sequential GET requests from a single external IP with large response sizes (sc-bytes). Network flow data will show sustained outbound data transfer to the test IP.
Unlock Pro Content
Get the full detection package for CVE-2025-11371 including response playbook, investigation guide, and atomic red team tests.