Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache.
AnalysisAI
Missing authentication in Gladinet Triofox's Cloud Server Agent Access Service (GladServerAgentService.exe) lets remote, unauthenticated attackers reach privileged HTTP endpoints exposed on TCP port 7878. The service processes requests to paths such as /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache without an authentication check (CWE-306), and the CVSS vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H) rates the impact as full confidentiality, integrity, and availability compromise. There is no public exploit identified at time of analysis and no EPSS score was provided, but the 9.8 base score and unauthenticated network reachability make this a critical-priority issue for any internet-exposed Triofox deployment.
Technical ContextAI
Triofox is Gladinet's enterprise file access, sync, and sharing platform; the affected component is its Cloud Server Agent Access Service, a Windows service binary (GladServerAgentService.exe) that opens a listener on TCP port 7878 to handle agent/server HTTP traffic. The flaw is classed as CWE-306 (Missing Authentication for Critical Function), tagged by the reporter as an Authentication Bypass: critical request handlers - including system-information (/sysinfo, /status), configuration (/Settings), scheduling (/schedule), resource (/resources), home (/woshome), and WebDAV cache (/DavCache) endpoints - are served to any client that can reach the port, with no credential or session validation enforced before the request is processed. The CPE cpe:2.3:a:gladinet:triofox:*:*:*:*:*:*:*:* uses a wildcard version field, indicating the affected version range was not constrained in the available data.
RemediationAI
No vendor-released patch identified at time of analysis, and no fix version was provided in the source data - monitor Gladinet for a Triofox update and consult the Tenable advisory at https://www.tenable.com/security/research/TRA-2026-45 for fixed-version guidance before deploying. As compensating controls until a patched build is confirmed: block inbound TCP port 7878 at the network perimeter and host firewall so the Cloud Server Agent Access Service is not reachable from untrusted networks (trade-off: may break legitimate agent-to-server communication that relies on this port, so restrict by source IP allowlist rather than a blanket block where agents must still connect); restrict access to the exposed URL paths (/resources, /status, /sysinfo, /woshome, /Settings, /schedule, /DavCache) via an upstream reverse proxy or WAF that enforces authentication, accepting the operational overhead of fronting the service; and remove any internet exposure of the service, keeping it on an internal/management segment only. Each control narrows reachability without fixing the underlying missing-authentication flaw, so apply the vendor patch once available.
Triofox versions before 16.7.10368.56560 contain an improper access control flaw allowing access to initial setup pages
Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in WOSDefaultHttpModule.dll,
Remote code execution in Gladinet Triofox is possible through a stack-based buffer overflow in the WOSDeviceDropFolder.d
Denial of service in Gladinet Triofox lets unauthenticated remote attackers crash the web service by sending an HTTP req
Information disclosure via path traversal in Gladinet Triofox lets remote unauthenticated attackers read arbitrary files
Denial of service in Gladinet Triofox lets remote unauthenticated attackers crash the Triofox Server Agent by triggering
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32641
GHSA-xw8r-hmpg-qx28