Article Title:
Critical Vulnerability in Gladinet’s CentreStack and Triofox Exploited for Unauthorized Access and Remote Code Execution
A significant security flaw has been identified in Gladinet’s CentreStack and Triofox products, actively exploited by cyber attackers to gain unauthorized access and execute remote code. This vulnerability arises from the use of hard-coded cryptographic keys within the software, affecting multiple organizations across various sectors, including healthcare and technology.
Understanding the Vulnerability
The core issue lies in a function named `GenerateSecKey()` within the `GladCtrl64.dll` file. This function generates cryptographic keys used to encrypt access tickets containing authorization data, such as usernames and passwords. These tickets facilitate access to the file system, provided the credentials are valid.
However, the `GenerateSecKey()` function consistently returns the same 100-byte text strings, leading to static cryptographic keys. This predictability allows attackers to decrypt any ticket generated by the server or create their own malicious tickets. Consequently, they can access sensitive files like the `web.config` file, which contains the machine key necessary for ViewState deserialization attacks, ultimately enabling remote code execution.
Exploitation in the Wild
Cybersecurity firm Huntress has observed active exploitation of this vulnerability. Attackers craft specific URL requests to the `/storage/filesvr.dn` endpoint, using access tickets with blank username and password fields. This manipulation causes the application to default to the IIS Application Pool Identity. Additionally, by setting the timestamp field in the access ticket to 9999, attackers create tickets that never expire, allowing indefinite reuse of the URL to download server configurations.
As of December 10, 2025, nine organizations have been affected by this exploit. The attacks originate from the IP address 147.124.216[.]205 and involve chaining this new exploit with a previously disclosed flaw (CVE-2025-11371) to access the machine key from the `web.config` file.
Mitigation Measures
In response to these active exploits, organizations using CentreStack and Triofox are urged to update to the latest version, 16.12.10420.56791, released on December 8, 2025. This update addresses the vulnerability by eliminating the use of hard-coded cryptographic keys.
Furthermore, it’s recommended to scan server logs for the presence of the string vghpI7EToZUDIZDdprSubL3mTZ2, which represents the encrypted path of the `web.config` file. Detection of this indicator suggests potential compromise.
If indicators of compromise are found, it’s imperative to rotate the machine key to prevent further exploitation. This process involves accessing the CentreStack installation folder, backing up the `web.config` file, and generating a new machine key through the IIS Manager.
Broader Implications
This incident underscores the critical importance of secure cryptographic practices in software development. The use of hard-coded keys presents a significant security risk, as they can be easily exploited once discovered. Organizations must prioritize the implementation of dynamic and secure key management practices to safeguard against such vulnerabilities.
Moreover, this case highlights the necessity for continuous monitoring and timely patching of software vulnerabilities. Cyber attackers are increasingly adept at exploiting known flaws, making it essential for organizations to stay vigilant and proactive in their cybersecurity efforts.
Conclusion
The active exploitation of hard-coded cryptographic keys in Gladinet’s CentreStack and Triofox products serves as a stark reminder of the ever-present threats in the digital landscape. By promptly updating software, monitoring for indicators of compromise, and adhering to robust security practices, organizations can mitigate risks and protect their systems from unauthorized access and potential damage.
