Three Critical Flaws Hit Gladinet Triofox: CVE-2026-8362 / 8363 / 8364, Enterprise File Sharing At Risk
Tenable Research disclosed three critical unauthenticated RCE vulnerabilities (CVE-2026-8362/8363/8364, all CVSS 9.8) in Gladinet Triofox enterprise file sharing on May 27, 2026. Versions up to 17.1.10488.57063 are vulnerable; fixed in 17.3.10565.57509.
Makoto Horikawa
Backend Engineer / AWS / Django
Tenable Research disclosed three critical unauthenticated RCE vulnerabilities (CVE-2026-8362/8363/8364, all CVSS 9.8) in Gladinet Triofox enterprise file sharing on May 27, 2026. Versions up to 17.1.10488.57063 are vulnerable; fixed in 17.3.10565.57509.
On May 27, 2026, Tenable Research disclosed three critical vulnerabilities in Gladinet Triofox, an enterprise cloud file-sharing product, in security research advisory TRA-2026-45: CVE-2026-8362, CVE-2026-8363, and CVE-2026-8364. All three carry a CVSS score of 9.8 and enable unauthenticated remote code execution (RCE).
Gladinet Triofox is a product designed to share the contents of on-premises file servers across global offices, positioned as an "enterprise OneDrive alternative" that lets users manipulate files through the cloud as if they were in Windows Explorer, without a VPN. It is widely deployed across manufacturing, construction, media, and government sectors. At the center of all three flaws is Triofox's core component, the Triofox Server Agent (GladServerAgentService.exe). This service listens on TCP port 7878 and processes HTTP requests with no authentication whatsoever, the common root cause of all three vulnerabilities.
Triofox Server Agent versions up to and including v17.1.10488.57063 are affected; the fix lands in v17.3.10565.57509 and later. A successful attack allows listing, adding, modifying, and deleting files; tampering with settings in the SQLite database; and ultimately a full server takeover via buffer overflow, turning a company's confidential file infrastructure into an ideal foothold for ransomware groups.
What Gladinet Triofox Is
Gladinet is a Massachusetts-based company founded in 2009, and Triofox is its flagship product. Built around the concept of "accessing the contents of file servers from anywhere in the world, just like Windows Explorer," it places the Triofox Server Agent on top of a Windows file server so that employees worldwide can open files seamlessly. It covers the full set of enterprise-grade features: Active Directory integration, NTFS permission inheritance, global file locking, and offline folders.
Typical deployment scenarios include:
- Manufacturing: enabling Japanese headquarters and overseas plants to edit CAD data (tens of GB to TB scale) directly in Photoshop or AutoCAD
- Construction: syncing blueprints and construction plans between site offices and headquarters nationwide, with version control
- Media and video production: sharing raw footage (40 TB to PB scale) with edit houses while enforcing Active Directory permissions
- Government and public sector: keeping classified files on-premises rather than in public cloud, while still providing remote access
- Insurance: storing contract PDFs from branch offices and agency networks directly on internal file servers
During disclosure, Gladinet told Tenable that "the typical deployment of this product is on an internal, non-internet-facing file server." In practice, however, delivering Triofox's headline feature, VPN-less inter-office file sharing, generally requires that the Server Agent be reachable from outside over HTTPS, meaning a non-trivial number of organizations have their attack surface exposed to the internet.
The Three CVEs In Detail
CVE-2026-8364: Missing Authentication Middleware, TCP 7878 Wide Open (CVSS 9.8)
The most fundamental "design-root" flaw of the three is CVE-2026-8364: the HTTP server that GladServerAgentService.exe listens on at TCP 7878 performs no authentication checks at all. NVD classifies the issue as CWE-306 (Missing Authentication for Critical Function). According to Tenable's advisory TRA-2026-45, the URL path prefixes accepted without authentication include:
/resources: listing, adding, modifying, and deleting files on Triofox Drive/Settings: tampering with configuration values in the SQLite database/status//sysinfo: leaking system information/woshome//schedule//DavCache: various internal functions
Via /resources, an attacker can directly read, alter, and delete files on Triofox Drive. That alone is already catastrophic, an "anonymous free-for-all on confidential corporate files," but combined with the other two buffer overflows, it provides a path all the way to code execution on the server itself.
CVE-2026-8362: Stack BOF in WOSDefaultHttpModule.dll via /woshome (CVSS 9.8)
CVE-2026-8362 is a stack-based buffer overflow that occurs when WOSDefaultHttpModule.dll handles an overly long URL path beginning with /woshome. NVD classifies it as CWE-121. Tenable characterizes it as "a combination of a buffer overflow and path traversal functionality." A stack BOF is a classically critical vulnerability that maps directly to attacker-controlled code execution via an overwritten return address.
CVE-2026-8363: Stack BOF in WOSDeviceDropFolder.dll via /resources (CVSS 9.8)
CVE-2026-8363 is a BOF that triggers when WOSDeviceDropFolder.dll processes long URL paths beginning with /resources:. The targeted path overlaps with /resources, which CVE-2026-8364 has already confirmed requires no authentication, putting an auth bypass and a BOF side by side on the same URL path, a particularly dangerous alignment. CWE-121.
| CVE | Affected Module | Vulnerability | CVSS |
|---|---|---|---|
| CVE-2026-8362 | WOSDefaultHttpModule.dll | Stack BOF/woshome path | 9.8 |
| CVE-2026-8363 | WOSDeviceDropFolder.dll | Stack BOF/resources: path | 9.8 |
| CVE-2026-8364 | GladServerAgentService.exe | Missing auth middleware TCP 7878 (multiple paths) | 9.8 |
Three Months of Disclosure Friction: "The Port Doesn't Accept Connections"
What sets this case apart is that more than three months passed between Tenable Research's initial vendor notification and the official fix. The disclosure timeline documented in Tenable's advisory runs as follows.
| Date | Event |
|---|---|
| Feb 11 | Tenable Research makes initial contact and discloses to the vendor |
| Feb 25 | Gladinet acknowledges receipt and commits to future mitigations |
| Mar 2 | Gladinet asserts that "the port does not accept external connections" |
| Apr 2 - Apr 23 | Ongoing discussion about the actual bind behavior and remediation approach |
| Apr 29 | Tenable requests confirmation of the final fixed version |
| May 27 | Three CVEs published; fixed version v17.3.10565.57509 released |
The vendor's initial position that "the port is not externally reachable" is internally consistent if you assume the product is deployed only on internal, non-internet-facing networks. In reality, many Triofox Server Agents sit at internet-reachable positions precisely so they can support inter-office file sharing. From a customer's vantage point, this three-month stretch boils down to: "we trusted the VPN-less file-sharing pitch, and as a result our exposed Server Agent sat defenseless on the internet for three months."
Vulnerabilities in enterprise file-sharing products of this class tend to be immediately weaponized by ransomware groups. In 2023, IBM Aspera Faspex (CVE-2022-47986) was used by the IceFire ransomware, and, much like Triofox, MOVEit Transfer's CVE-2023-34362 became the launchpad for a large-scale campaign by the Clop ransomware group. None of the three Triofox CVEs are listed in CISA KEV yet, but depending on what exploitation telemetry shows, they could be added in short order.
What To Do Now
1. Update Triofox Server Agent to v17.3.10565.57509 or later. Pull the latest version from the official Gladinet management console and roll it out to every Triofox Server Agent, both at headquarters and at overseas offices. Server Agents are commonly deployed across multiple sites, so the first step is to build a complete update plan covering all of them.
2. Audit TCP port 7878 exposure immediately. Until the fix is applied (and as a defense-in-depth measure even afterward), restrict TCP port 7878 on servers running the Triofox Server Agent so that it is unreachable from external networks. Review firewall rules, AWS Security Groups, Azure NSGs, and on-premises ACLs to ensure access is limited to trusted IPs or internal VPN tunnels. Organizations that have been running Triofox's inter-office sharing "without a VPN" should consider temporarily mandating VPN connectivity here.
3. Audit access logs going back six months. CVE-2026-8364 is an "existing vulnerability" that Tenable discovered as of February 2026. The possibility that attackers found and exploited it independently cannot be ruled out. Check for unexpected accesses to /resources, /Settings, and /woshome, especially requests with abnormally long URL paths.
4. Audit file change and deletion history on Triofox Drive. Triofox includes change-history and version-control features. Spot-check critical files from the past six months for any unexpected edits or deletions. Because attackers could manipulate files anonymously via /resources, look for traces of tampering or data exfiltration.
5. Reassess Active Directory integration settings. Triofox's access control is structured around Active Directory accounts, but CVE-2026-8364's authentication bypass reaches the endpoints without going through AD authentication at all. Strengthening AD passwords or enabling MFA does nothing for this particular issue. Until the fixed version is deployed, simply taking Triofox off the public internet is the most reliable mitigation.
6. As a prerequisite for ransomware defense, immediately verify backups and restore drills. Enterprise file-sharing infrastructure is a prime ransomware target. Use this incident as an occasion to re-verify that your 3-2-1 backups (three copies, two media types, one offsite), unencryptable air-gapped backups, and, critically, hands-on restore drills for files under Triofox are actually functional.
CISA KEV Status And Related Coverage
As of May 28, 2026, none of CVE-2026-8362/8363/8364 are listed in the CISA KEV catalog. That said, an earlier Gladinet product flaw, CVE-2023-32258 (Gladinet CentreStack), was added to CISA KEV and subsequently leveraged by ransomware groups. There is no doubt that these three new flaws, especially CVE-2026-8364, which alone establishes unauthenticated RCE, are highly attractive to attackers.
This site continuously tracks CVEs that CISA has flagged as actively exploited, along with their remediation deadlines, on our CISA KEV Dashboard (Japanese edition). When Triofox-related CVEs land in KEV, the dashboard will let you immediately see both their impact on Japanese organizations and the U.S. federal agency deadlines.
For tracking CVEs in dependency packages used by similar enterprise file-sharing and transfer products (IBM Aspera, MOVEit Transfer, Citrix ShareFile, Egnyte, and so on), our OSS Supply Chain Scanner is a useful tool. Triofox itself is closed-source, but the OSS middleware riding on top of it (SQLite, OpenSSL, various parsers) is worth monitoring in parallel for vulnerabilities.
References
- ▸ Tenable Research Advisory TRA-2026-45 (official bulletin)
- ▸ NVD - CVE-2026-8362 (WOSDefaultHttpModule.dll BOF)
- ▸ NVD - CVE-2026-8363 (WOSDeviceDropFolder.dll BOF)
- ▸ NVD - CVE-2026-8364 (missing authentication middleware)
- ▸ Gladinet official site
- ▸ Triofox product page (global file access)
- ▸ CISA - Known Exploited Vulnerabilities Catalog