CVE-2026-8359
Description
When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gladinet Triofox Server Agent crashes when a remote attacker triggers a null-pointer dereference by requesting a /status or /sysinfo path, causing denial of service.
Vulnerability
When processing a request with a URL path starting with /status or /sysinfo, the WOSHttpStatusModule.dll is expected to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in that DLL would be called to set up a module object. However, WOSHttpStatusModule.dll is not present in the installation. As a result, the function pointer to WOSBin_LoadHttpModule remains NULL, leading to a call to a function at address 0 — a null-pointer dereference. This affects Gladinet Triofox Server Agent version 17.1.10488.57063 as reported in [1].
Exploitation
An unauthenticated remote attacker can send an HTTP request to the server agent listening on TCP port 7878 with a URL path starting with /status or /sysinfo. No authentication or user interaction is required. The crash occurs immediately upon processing the request, as the code tries to call a null function pointer [1].
Impact
Successful exploitation causes a null-pointer dereference crash, resulting in denial of service of the Triofox Server Agent service. No additional code execution or data compromise is achieved through this specific vulnerability [1].
Mitigation
The vulnerability is documented in the referenced research [1]. At the time of publication, no patch or fixed version has been announced by Gladinet. Users should monitor vendor advisories for an update. As a workaround, if possible, restrict network access to TCP port 7878 to trusted hosts only.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.