What happened

CISA added CVE-2025-11371 to the Known Exploited Vulnerabilities (KEV) catalog for Gladinet CentreStack and Triofox on 2025-11-04. CISA KEV

The entry classifies the issue as “files or directories accessible to external parties,” enabling unintended disclosure of system files. CISA KEV

CISA set a remediation due date of 2025-11-25 for federal agencies subject to BOD 22-01. CISA KEV

The weakness maps to CWE-552: Files or Directories Accessible to External Parties. NVD CVE-2025-11371

The CVE record is also published in the MITRE CVE database. MITRE CVE-2025-11371

CISA’s entry lists Known Ransomware Campaign Use as “Unknown.” CISA KEV

Why it matters

Placement in the KEV catalog means this vulnerability is known to be exploited in the wild, which elevates operational urgency. CISA KEV

The described impact is unintended disclosure of system files, which can directly undermine data confidentiality. NVD CVE-2025-11371

Because KEV entries are backed by observed exploitation, agencies and enterprises should assume adversaries are actively testing and chaining this exposure. CISA KEV

The CWE-552 classification highlights that resources meant to be internal become externally accessible, a failure that increases the blast radius of routine probing. NVD CVE-2025-11371

The inclusion of a specific due date reflects mandatory federal remediation timelines under BOD 22-01, reinforcing that delay equals exposure. CISA KEV

Technical detail

CVE-2025-11371 is attributed to Gladinet CentreStack and Triofox and is categorized as “Files or Directories Accessible to External Parties.” MITRE CVE-2025-11371

CISA’s short description states the flaw allows unintended disclosure of system files, indicating inadequate access controls on file resources. CISA KEV

NVD associates the issue with CWE-552, a class where files or directories are reachable by parties that should not have access. NVD CVE-2025-11371

The public records identify affected products but do not enumerate exploit primitives in the entry, which is typical for KEV notices focused on urgency and remediation. CISA KEV

The MITRE record provides standardized CVE metadata to align asset and vulnerability tracking across tooling. MITRE CVE-2025-11371

NVD provides the canonical CVE page used by many scanners and correlation engines to tag and prioritize exposure. NVD CVE-2025-11371

Defense

CISA requires one of the following: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. CISA KEV

For U.S. federal civilian agencies, remediation is due by 2025-11-25, after which non-compliance may violate BOD 22-01 directives. CISA KEV

Operators should immediately identify any instances of Gladinet CentreStack or Triofox and align patch and mitigation actions to the KEV directive. CISA KEV

Use the CVE identifier to track coverage and advisory updates across vulnerability management tools referencing MITRE and NVD records. MITRE CVE-2025-11371 NVD CVE-2025-11371

Because the impact is disclosure of system files, tighten exposure by limiting unauthenticated requests to file resources and reviewing any public-facing endpoints serving file paths. NVD CVE-2025-11371

Prioritize log review for anomalous access to sensitive file paths aligned with the CWE-552 class, then remediate per the KEV-required actions. NVD CVE-2025-11371 CISA KEV

Lyrie Verdict

This is a file exposure class vulnerability with confirmed in-the-wild exploitation status by virtue of KEV inclusion, so treat it as an ongoing incident until remediated. CISA KEV

Lyrie autonomously hunts for the behavioral signature of CWE-552: unexpected serving or enumeration of system files by internet-facing components, with machine-speed containment to block exfil paths. NVD CVE-2025-11371

We fuse KEV intelligence into policy so that when a service begins exposing system file resources consistent with CVE-2025-11371, we alert, isolate, and enforce without waiting for human reaction time. CISA KEV