PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8360 Gladinet CVE debrief

A NULL pointer dereference vulnerability exists in Triofox Server Agent Management Console components. The function WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() can return a NULL pointer when no user is logged into the console, and this return value is not validated before dereference in dependent DLLs including WOSProfileMgrModule.dll and WOSWebDavModule.dll. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates network-accessible attack surface with low complexity, no privileges required, and no user interaction, resulting in high availability impact. The vulnerability was disclosed by Tenable Research. No known exploitation in ransomware campaigns has been reported.

Vendor
Gladinet
Product
Triofox
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Triofox Server Agent Management Console; security teams monitoring for DLL stability issues in Windows server environments; incident responders tracking availability-impacting vulnerabilities in enterprise file sharing infrastructure

Technical summary

The vulnerability stems from insufficient NULL pointer validation in WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() when called without an active user session. Dependent modules WOSProfileMgrModule.dll and WOSWebDavModule.dll dereference the unchecked return value, leading to potential denial of service. The network-accessible attack vector with no authentication requirements elevates defensive priority.

Defensive priority

HIGH

Recommended defensive actions

  • Apply vendor patches for Triofox Server Agent Management Console when available
  • Monitor for unexpected process crashes in WOSProfileMgrModule.dll and WOSWebDavModule.dll
  • Implement network segmentation to limit exposure of management console interfaces
  • Review authentication requirements for administrative console access

Evidence notes

Vulnerability description sourced from NVD record with CVSS 3.1 scoring. Tenable Research attribution confirmed via reference metadata. CWE-476 (NULL Pointer Dereference) classified as secondary weakness source.

Official resources

2026-05-27