Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far.
"Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution," security researcher Bryan Masters said.
The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution, the cybersecurity company added. The vulnerability has not been assigned a CVE identifier.
At its core, the issue is rooted in a function named "GenerateSecKey()" present in "GladCtrl64.dll" that's used to generate the cryptographic keys necessary to encrypt access tickets containing authorization data (i.e., Username and Password) and enable access to the file system as a user, assuming the credentials are valid.
Because the GenerateSecKey() function returns the same 100-byte text strings and these strings are used to derive the cryptographic keys, the keys never change and can be weaponized to decrypt any ticket generated by the server or even encrypt one of the attacker's choosing.
This, in turn, opens the door to a scenario where it can be exploited to access files containing valuable data, such as the web.config file, and obtain the machine key required to perform remote code execution via ViewState deserialization.
The attacks, according to Huntress, take the form of specially crafted URL requests to the "/storage/filesvr.dn" endpoint, such as below -
/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu
The attack efforts have been found to leave the Username and Password fields blank, causing the application to fall back to the IIS Application Pool Identity. What's more, the timestamp field in the access ticket, which refers to the creation time of the ticket, is set to 9999, effectively creating a ticket that never expires, allowing the threat actors to reuse the URL indefinitely and download the server configuration.
As of December 10, as many as nine organizations have been affected by the newly disclosed flaw. These organizations belong to a wide range of sectors, such as healthcare and technology. The attacks originate from the IP address 147.124.216[.]205 and attempt to chain together a previously disclosed flaw in the same applications (CVE-2025-11371) with the new exploit to access the machine key from the web.config file.
"Once the attacker was able to obtain the keys, they performed a viewstate deserialization attack and then attempted to retrieve the output of the execution, which failed," Huntress said.
In light of active exploitation, organizations that are using CentreStack and Triofox should update to the latest version, 16.12.10420.56791, released on December 8, 2025. Additionally, it's advised to scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path.
In the event indicators or compromise (IoCs) are detected, it's imperative that the machine key is rotated by following the steps below -
- On Centrestack server, go to Centrestack installation folder C:\Program Files (x86)\Gladinet Cloud Enterprise\root
- Make a backup of web.config
- Open IIS Manager
- Navigate to Sites -> Default Web Site
- In the ASP.NET section, double click Machine Key
- Click 'Generate Keys' on the right pane
- Click Apply to save it to root\web.config
- Restart IIS after repeating the same step for all worker nodes
The development makes it the third vulnerability in CentreStack and Triofox that has come under active exploitation in the wild since the start of the year, after CVE-2025-30406 and CVE-2025-11371. Huntress told The Hacker News that it's possible the activity is the work of a single threat actor.
"We can't say for certain it's the same threat actor, but there's strong circumstantial evidence," Anna Pham, senior hunt and response analyst at Huntress, said. "The threat actor is chaining all three Gladinet vulnerabilities in a single, orchestrated attack flow and attempts to use CVE-2025-11371 for output exfiltration after achieving RCE. That's a pre-built workflow suggesting familiarity with these exploits from prior use. At minimum, whoever this is has deep knowledge of Gladinet's vulnerability history."
