Skip to main content

Gladinet Triofox CVE-2026-8364

| EUVDEUVD-2026-32641 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-05-27 tenable GHSA-xw8r-hmpg-qx28
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 27, 2026 - 22:04 EUVD
Analysis Generated
May 27, 2026 - 20:52 vuln.today

DescriptionCVE.org

Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache.

AnalysisAI

Missing authentication in Gladinet Triofox's Cloud Server Agent Access Service (GladServerAgentService.exe) lets remote, unauthenticated attackers reach privileged HTTP endpoints exposed on TCP port 7878. The service processes requests to paths such as /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache without an authentication check (CWE-306), and the CVSS vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H) rates the impact as full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and no EPSS score was provided, but the 9.8 base score and unauthenticated network reachability make this a critical-priority issue for any internet-exposed Triofox deployment.

Technical ContextAI

Triofox is Gladinet's enterprise file access, sync, and sharing platform; the affected component is its Cloud Server Agent Access Service, a Windows service binary (GladServerAgentService.exe) that opens a listener on TCP port 7878 to handle agent/server HTTP traffic. The flaw is classed as CWE-306 (Missing Authentication for Critical Function), tagged by the reporter as an Authentication Bypass: critical request handlers - including system-information (/sysinfo, /status), configuration (/Settings), scheduling (/schedule), resource (/resources), home (/woshome), and WebDAV cache (/DavCache) endpoints - are served to any client that can reach the port, with no credential or session validation enforced before the request is processed. The CPE cpe:2.3:a:gladinet:triofox:*:*:*:*:*:*:*:* uses a wildcard version field, indicating the affected version range was not constrained in the available data.

RemediationAI

No vendor-released patch identified at time of analysis, and no fix version was provided in the source data - monitor Gladinet for a Triofox update and consult the Tenable advisory at https://www.tenable.com/security/research/TRA-2026-45 for fixed-version guidance before deploying. As compensating controls until a patched build is confirmed: block inbound TCP port 7878 at the network perimeter and host firewall so the Cloud Server Agent Access Service is not reachable from untrusted networks (trade-off: may break legitimate agent-to-server communication that relies on this port, so restrict by source IP allowlist rather than a blanket block where agents must still connect); restrict access to the exposed URL paths (/resources, /status, /sysinfo, /woshome, /Settings, /schedule, /DavCache) via an upstream reverse proxy or WAF that enforces authentication, accepting the operational overhead of fronting the service; and remove any internet exposure of the service, keeping it on an internal/management segment only. Each control narrows reachability without fixing the underlying missing-authentication flaw, so apply the vendor patch once available.

Share

CVE-2026-8364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy