Description
Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced.
Published: 2026-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the Gladinet Triofox system causes the WOSCommonUtil.dll function WOSSysInfoGetDeviceInterface() to return a NULL pointer when no user is logged into the Server Agent Management Console. The code does not verify the pointer before dereferencing it, which leads to a crash of the affected DLL and results in a denial of service. The weakness involved is a null pointer dereference, identified as CWE-476, and the impact is the loss of availability of the Triofox service.

Affected Systems

The vulnerability affects installations of the Gladinet Triofox Server Agent Management Console that use the WOSPhysicalProfile Manager Module or the WOSWebDav Module, which in turn invoke the WOSCommonUtil.dll library. Versions are not specified in the advisory; the flaw applies to any release that incorporates these modules.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level, but the EPSS score is not available and the flaw is not listed in the CISA KEV catalog, suggesting limited evidence of active exploitation. The likely attack vector is local or via privileged access to the console, as the crash occurs when no user session is active. While no detailed exploitation chain is disclosed, a successful trigger would cause the Triofox service to terminate and require manual restart, leading to significant downtime.

Generated by OpenCVE AI on May 27, 2026 at 22:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch for Gladinet Triofox as soon as it is released.
  • Configure the Triofox Server Agent Management Console so that only authenticated users can invoke modules that interact with WOSCommonUtil.dll, thereby preventing the error from occurring when no user session exists.
  • Implement monitoring for unexpected crashes or restarts of the Triofox service, and have an automated or manual recovery plan in place to restore service rapidly.

Generated by OpenCVE AI on May 27, 2026 at 22:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Gladinet
Gladinet triofox
Vendors & Products Gladinet
Gladinet triofox

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced.
Title Gladinet Triofox Unchecked Return Value to NULL Pointer Dereference DOS
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Gladinet Triofox
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-27T20:25:57.857Z

Reserved: 2026-05-11T19:17:38.614Z

Link: CVE-2026-8360

cve-icon Vulnrichment

Updated: 2026-05-27T20:25:55.144Z

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:42.713

Modified: 2026-05-27T21:16:19.400

Link: CVE-2026-8360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T03:00:05Z

Weaknesses