The Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) exposes a set of unsecured HTTP endpoints on TCP port 7878. These endpoints – including /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache – can be called without any authentication. Because these paths perform privileged functions, an attacker that can reach the service could trigger those functions remotely, potentially achieving full remote code execution or complete unauthorized control of the managed device. This weakness is classified as CWE‑306, Missing Authentication.

The vulnerability affects Gladinet Triofox servers running the server agent component that listens on port 7878. No specific product versions are listed in the CVE data, so the full scope of affected releases is not defined. Administrators should confirm that the GladServerAgentService.exe is running on their systems and determine the exact product version if possible.

The CVSS base score of 9.8 indicates critical severity. The EPSS score is not available, so the current estimate of exploitation likelihood is unknown; however, because the service exposes critical functionality on a publicly reachable port without authentication, the risk of remote exploitation is high. Based on the description, the likely attack vector is remote, network-based HTTP access to the open endpoints. The vulnerability is not listed in the CISA KEV catalog. Combined, the high severity and unrestricted exposure suggest that the vulnerability should be treated with top priority.