A bold wake-up call: active attackers are already exploiting a critical flaw in Gladinet’s CentreStack and Triofox products, enabling unauthorized access and remote code execution through hard-coded cryptographic keys.
Huntress has issued a warning after nine organizations were affected by this flaw. Security researchers explain that threat actors can abuse the insecure cryptography to reach the web.config file, which then opens the door to deserialization attacks and potential remote code execution.
Root cause and mechanism
At the heart of the problem lies a function named GenerateSecKey() inside Gladinet’s GladCtrl64.dll. This function is responsible for producing the cryptographic keys used to encrypt access tickets that carry authorization data (such as usernames and passwords) and control file-system access. Because GenerateSecKey() returns the same 100-byte text strings every time, the resulting keys never change. Attackers who obtain these keys can decrypt any ticket generated by the server or craft a new ticket of their choosing.
With access to these keys, an attacker could target valuable files, including the web.config, and acquire the machine key needed to perform remote code execution via a ViewState deserialization attack.
Exploitation details
The observed attacks involve specially crafted requests to the /storage/filesvr.dn endpoint. For example, a malicious URL might look like a long parameterized string containing embedded tokens. In these attempts, the Username and Password fields are left blank, causing the application to default to the IIS Application Pool Identity. Notably, the ticket’s creation timestamp is set to 9999, effectively making the ticket non-expiring and allowing the attacker to reuse the URL indefinitely to access server configuration data.
Impact and scope
As of December 10, nine organizations across various sectors—including healthcare and technology—have been impacted. The attacks appear to originate from IP 147.124.216[.]205 and attempt to combine the previously disclosed vulnerability CVE-2025-11371 with this new exploit chain, aiming to retrieve the machine key from web.config.
What happened next
Once attackers obtained the keys, they attempted a ViewState deserialization attack to retrieve execution outputs, though the objective of extracting meaningful results was not always successful.
Recommended actions
If your organization uses CentreStack or Triofox, apply the latest update (version 16.12.10420.56791, released December 8, 2025) to mitigate the vulnerability. In addition, search logs for the string "vghpI7EToZUDIZDdprSubL3mTZ2"—the encrypted representation of the web.config path—as a potential IoC indicator.
If indicators of compromise are detected, rotate the machine key by following the hardening steps for the CentreStack cluster: locate the installation folder (typically C:\Program Files (x86)\Gladinet Cloud Enterprise\root), back up web.config, use IIS Manager to navigate to Sites -> Default Web Site, open ASP.NET Machine Key, generate new keys, save changes to root\web.config, and restart IIS across all worker nodes.
Want more context on these kinds of cryptographic weaknesses and how to harden related systems? Share your thoughts in the comments and tell us which mitigation step you’d prioritize first.
