"200 indicating the page has refreshed ( wrong password / username ) or a code 302 indicating the now logged in user has been redirected to another page. figure 3 : post request as shown in the logs here is where it gets interesting. the attacker then made an unusual get request :…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
93%
". figure 4 : get request showing exploitation now that the attacker had a copy of the web. config file containing the machine key, they were able to perform a deserialization attack and begin reconnoitering the host. this was achieved by two sets of base64 encoded payloads contai…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
89%
"##loaddownloadproxy located at : c : \ program files ( x86 ) \ gladinet cloud enterprise \ uploaddownloadproxy \ web. config this will impact some functionality of the platform ; however, it will ensure that this vulnerability cannot be exploited until the patch has been applied.…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
67%
"( cve - 2025 - 11371 ) in gladinet centrestack and triofox products. as of the initial writing of this blog, a patch was not available in the latest versions of centrestack and triofox. background in april 2025, huntress published its findings on the exploitation of cve - 2025 - …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
65%
"payload contained within the post requests vulnerability analysis the huntress hunt and response team looked into the endpoint with the local file inclusion vulnerability and found the vulnerable code inside the class gladinetstorage. tempdownload located within c : \ program fil…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
58%
"active exploitation of gladinet centrestack and triofox | huntress update # 1 : 10 / 15 / 25 @ 1pm et on october 14, gladinet released version 16. 10. 10408. 56683 of centrestack, which includes a fix for the local file inclusion vulnerability outlined below. huntress recommends …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
39%
"retrieve any file relative to c : \ windows \ temp \ glad _ temp. so for example retrieving the file.. \.. \ explorer. exe would retrieve the file from c : \ windows \ explorer. exe. proof of concept whilst huntress is still inclined not to release the proof of concept code for e…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress has observed in-the-wild exploitation of a Local File Inclusion vulnerability in Gladinet CentreStack and Triofox products.