Threat actors are exploiting a zero-day vulnerability in Gladinet’s CentreStack, a widely used enterprise file-sharing and collaboration platform. The flaw allows unauthenticated remote code execution (RCE), enabling attackers to gain full control of affected servers.
Security researchers began observing exploitation attempts in early October 2025, shortly before Gladinet confirmed the issue. The company stated it is working on a patch while advising customers to disable external access to vulnerable endpoints.
Technical Details of the Gladinet Vulnerability
The vulnerability resides in CentreStack’s web API authentication routine, which fails to sanitize user input during file-sharing session initialization. According to researchers at VulnCheck, attackers exploit this flaw to inject arbitrary commands that the server executes with elevated privileges.
This gives the attacker direct file access, credential harvesting capabilities, and the ability to deploy additional payloads. Notably, this zero-day affects both self-hosted CentreStack deployments and cloud-integrated environments, extending the attack surface significantly.
Active Exploitation in the Wild
Researchers observed automated mass-scanning from threat groups attempting to identify exposed Gladinet endpoints. In several confirmed cases, attackers deployed web shells and remote administration tools (RATs) post-exploitation, indicating lateral movement and persistence.
Security telemetry suggests most attacks originate from servers in Eastern Europe and Asia, leveraging compromised cloud instances for obfuscation.
Gladinet’s Response and Mitigation Guidance
Gladinet confirmed active exploitation but emphasized that no internal infrastructure was compromised.
The company urged administrators to:
-
Restrict internet access to management interfaces.
-
Disable temporary external file-sharing links.
-
Monitor logs for unusual activity, including new admin sessions.
-
Implement a Web Application Firewall (WAF) rule blocking unverified API calls.
Furthermore, Gladinet is developing a security update, expected within days.
Until then, users should apply network-level segmentation and restrict access to trusted IPs only.
This zero-day could allow complete compromise of enterprise file-sharing infrastructure, exposing sensitive corporate and customer data. Because CentreStack integrates with Active Directory and cloud storage, attackers could leverage stolen credentials to escalate privileges across an organization’s network.
Security experts warn this vulnerability poses a threat similar to MOVEit and GoAnywhere MFT breaches, which affected thousands of global entities.
Security Research Community Response
The cybersecurity community has responded swiftly. Threat-intelligence firms like Huntress Labs and Rapid7 have begun issuing detection signatures and YARA rules to identify compromised instances.
Moreover, managed security providers are urging customers to check for unauthorized file access logs and investigate outbound traffic spikes to suspicious IP ranges.
The Gladinet incident underscores the rising frequency of zero-day exploitation in third-party file-sharing and collaboration tools. Attackers increasingly target business-critical middleware, exploiting slow patch cycles and wide deployment bases.
In turn, this trend amplifies the need for proactive vulnerability intelligence, segmentation, and incident-response readiness among IT administrators.
Enterprises using Gladinet CentreStack should treat this as an active emergency. Until a patch is issued, the best mitigation is network isolation and continuous log review. Ultimately, the exploit demonstrates how threat actors continue to weaponize zero-days in supply-chain-reliant ecosystems, forcing organizations to improve real-time vulnerability monitoring.
FAQs
Q1. What product is affected?
Gladinet CentreStack, a file-sharing and remote collaboration platform used by enterprises.
Q2. What type of vulnerability is this?
A zero-day remote code execution (RCE) flaw in CentreStack’s API.
Q3. Is there a patch available?
Not yet. Gladinet has issued temporary mitigations and plans a patch shortly.
Q4. How are hackers exploiting it?
They send crafted API requests that trigger command injection on the server.
Q5. What should admins do right now?
Disable external access, apply WAF rules, and monitor all admin session logs for anomalies.
One thought on “Gladinet File-Sharing Platforms Targeted in Zero-Day Campaign”