CVE-2026-8360

Vulnerability

A NULL pointer dereference vulnerability exists in the WOSSysInfoGetDeviceInterface() function within WOSCommonUtil.dll of Gladinet Triofox Server Agent version 17.1.10488.57063 [1]. This function is called from various DLLs, including WOSProfileMgrModule.dll and WOSWebDavModule.dll. When no user is logged into the Triofox Server Agent Management Console, the function returns a NULL pointer, which is subsequently dereferenced without a prior check, leading to a crash.

Exploitation

An unauthenticated remote attacker can trigger this vulnerability by sending a crafted HTTP request to the Triofox Server Agent service (listening on TCP port 7878) when no user is logged into the Management Console [1]. The attacker does not require any prior authentication or user interaction. The exact endpoint that triggers the vulnerable code path is not specified in the available references, but the service processes requests to paths such as /resources, /status, /sysinfo, etc., which may invoke the vulnerable function.

Impact

Successful exploitation results in a denial of service (DoS) condition, causing the Triofox Server Agent service to crash. This disrupts file sharing and other functionality provided by the agent. The CVSS v3 base score of 7.5 (High) reflects the high availability impact and the low complexity of the attack.

Mitigation

As of the publication date, no official patch has been disclosed in the available references [1]. Administrators should ensure that at least one user is logged into the Triofox Server Agent Management Console to avoid the NULL pointer condition. Additionally, restricting network access to TCP port 7878 to trusted hosts can reduce the attack surface until a fix is applied.