How is CVE-2026-8363 exploited?

Network reachability (required): The attacker must reach the Triofox service over the network; any internet- or LAN-exposed instance is in scope. Authentication (not-required): No credentials or session token of any kind are needed to trigger the overflow. Victim interaction (not-required): The attacker sends a crafted HTTP request directly; no user on the target system needs to take any action. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory-layout guessing, or special environmental state is required.

What is the impact of CVE-2026-8363?

Attacker can execute arbitrary code at the privilege level of the Triofox service process, effectively owning the host. All data accessible to the service, including stored files, credentials, and session material, can be read and exfiltrated. An attacker can modify or delete files and configuration managed by Triofox, corrupting stored data or altering service behavior. The service process can be crashed or made unresponsive, denying access to all connected users and dependent workflows.

Back to search

CRITICALCVE-2026-8363Published 2026-05-27Modified 2026-05-28CNA tenable

CVE-2026-8363: Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll

A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in WOSDeviceDropFolder.dll, a component of Gladinet Triofox, triggered by sending an oversized URL path beginning with /resources to the service over the network. The flaw requires no authentication and no user interaction, making it directly reachable by any attacker who can connect to the exposed service. Successful exploitation gives the attacker full control over the affected host, including the ability to read, modify, or destroy data and execute arbitrary code. A patched-image rebuild at version 17.3.10565.57509 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8363 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image containing a vulnerable version of Gladinet Triofox (earlier than 17.3.10565.57509) will surface in scan results automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the provided CVSS v3.1 vector and weights findings against each customer environment's compliance policy to determine urgency. Routed alerts are directed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at Triofox version 17.3.10565.57509 becomes available through HarborGuard once the fix version is confirmed against the affected image layer. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Triofox service over the network; any internet- or LAN-exposed instance is in scope.
AuthenticationNot required
No credentials or session token of any kind are needed to trigger the overflow.
Victim interactionNot required
The attacker sends a crafted HTTP request directly; no user on the target system needs to take any action.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory-layout guessing, or special environmental state is required.

Blast Radius

Attacker can execute arbitrary code at the privilege level of the Triofox service process, effectively owning the host.
All data accessible to the service, including stored files, credentials, and session material, can be read and exfiltrated.
An attacker can modify or delete files and configuration managed by Triofox, corrupting stored data or altering service behavior.
The service process can be crashed or made unresponsive, denying access to all connected users and dependent workflows.

How HarborGuard Handles This

Available on HarborGuard: images containing Gladinet Triofox versions earlier than 17.3.10565.57509 are flagged at the CRITICAL severity level as soon as the CVE appears in upstream feeds. Where compliance policy permits, auto-remediation triggers a rebuild of the affected image at the patched version, executes a regression test run against the rebuilt image, and opens a pull request against every affected workload; for environments with auto-remediation enabled, the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with the fix version pre-populated so engineers can initiate the rebuild manually. Given the network-accessible, unauthenticated nature of this vulnerability, prioritizing remediation of any internet-facing Triofox deployment is strongly advised.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 17.3.10565.57509
Affected Products: 1

Fix available

17.3.10565.57509

Affected packages

Gladinet / Triofox
< 17.3.10565.57509 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

tenable.com

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available