CVE-2025-11371 Sumo Logic CSE · Sumo

Detect Gladinet CentreStack/Triofox Unauthorized File/Directory Access (CVE-2025-11371) in Sumo Logic CSE

Detects exploitation of CVE-2025-11371, a CWE-552 vulnerability in Gladinet CentreStack and Triofox where files or directories are accessible to external parties without proper authorization. This CISA KEV-listed vulnerability allows unauthenticated or unauthorized actors to access sensitive files and directories exposed by the affected file-sharing platform.

MITRE ATT&CK

Tactic
Collection Exfiltration

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/iis OR _sourceCategory=web/apache OR _sourceCategory=proxy
| parse regex "(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\S+\s+\S+\s+\[(?P<timestamp>[^\]]+)\]\s+\"(?P<method>\w+)\s+(?P<uri_path>\S+)\s+HTTP/[\d\.]+\"\s+(?P<status>\d{3})"
| where status in ("200", "206", "301", "302")
| where (uri_path matches /(?i)\/(storage|files|share|download|content)\//) or (uri_path matches /(?i)(\.\.[\/\\]|%2e%2e|%252e%252e)/) or (uri_path matches /(?i)\/(web\.config|appsettings|\.ssh|etc\/passwd)/)
| where !(src_ip matches /^10\./ or src_ip matches /^172\.(1[6-9]|2[0-9]|3[0-1])\./ or src_ip matches /^192\.168\./)
| timeslice 1h
| stats count as request_count, values(uri_path) as paths by _timeslice, src_ip, method, status
| where request_count > 3
| order by request_count desc
high severity medium confidence

Sumo Logic query identifying external source IPs accessing file/directory endpoints on CentreStack or Triofox, aggregated by time window to highlight enumeration patterns.

Data Sources

IIS Access LogsApache Access LogsReverse Proxy Logs

Required Tables

web/iisweb/apacheproxy

False Positives & Tuning

  • Legitimate remote users accessing shared drives through the web portal
  • Scheduled sync clients connecting from cloud providers with public IPs
  • Partner SSO-authenticated sessions accessing shared project files
  • Monitoring tools performing uptime checks against file service endpoints

Other platforms for CVE-2025-11371

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated File Enumeration via CentreStack Storage Endpoint

    Expected signal: IIS access logs will show HTTP GET requests to /storage/, /files/, /share/ etc. from the test IP with no authentication headers. Responses of 200/206 indicate the vulnerability is present.

  2. Test 2Path Traversal Attempt Against CentreStack File Server

    Expected signal: Web server logs will contain requests with URL-encoded traversal sequences. Windows Security Event Log Event ID 4663 may fire if file auditing is enabled and a real file is accessed.

  3. Test 3Bulk File Download Simulation from External IP

    Expected signal: IIS logs will show high-volume sequential GET requests from a single external IP with large response sizes (sc-bytes). Network flow data will show sustained outbound data transfer to the test IP.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-11371 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0009CollectionTA0010Exfiltration

Related Techniques

T1083File and Directory DiscoveryT1530Data from Cloud StorageT1190Exploit Public-Facing Application

Same Tactic: Collection

Popular Detections