- A vulnerability involving hard-coded cryptographic keys impacts Gladinet CentreStack and Triofox products.
- Threat actors exploit the flaw to access sensitive files like web.config and perform remote code execution through ViewState deserialization.
- The flaw relates to the static key generation by the “GenerateSecKey()” function in GladCtrl64.dll.
- At least nine organizations across multiple sectors have been affected as of December 10, 2025.
- Users are advised to update to the latest software version and rotate machine keys to mitigate the risk.
A new vulnerability affecting Gladinet CentreStack and Triofox software has been actively exploited, impacting at least nine organizations as of December 10, 2025. The flaw stems from hard-coded cryptographic keys embedded in the products, which allow attackers to access critical configuration files and execute remote code.
Security researcher Bryan Masters explained that threat actors can leverage this weakness to access the web.config file, enabling deserialization attacks through ViewState and leading to remote code execution. The problem originates from a function named “GenerateSecKey()” within the “GladCtrl64.dll” library. This function produces fixed 100-byte strings used to derive cryptographic keys, which remain unchanged over time.
Because these keys never change, attackers can decrypt or forge access tickets containing authorization data such as usernames and passwords. This grants unauthorized access to files and the ability to craft tickets that never expire by manipulating the timestamp field. The attacks typically target the “/storage/filesvr.dn” endpoint using specially crafted URL requests.
The intrusions leave username and password fields blank, causing the system to default to the IIS Application Pool Identity, which broadens unauthorized access. The reused tickets allow persistent access to sensitive data, including the machine key needed for ViewState deserialization exploits.
Affected organizations span healthcare, technology, and other sectors, with attacks traced to the IP address 147.124.216[.]205. The threat actors combine this vulnerability with a previously disclosed flaw (CVE-2025-11371) to access the machine key from the web.config file. According to Huntress, attackers performed deserialization attacks but encountered failures in retrieving execution output.
To address the issue, users of CentreStack and Triofox are urged to update their software to version 16.12.10420.56791, released on December 8, 2025, as indicated on the official CentreStack and Triofox release pages. Monitoring logs for the encrypted string “vghpI7EToZUDIZDdprSubL3mTZ2” is recommended to detect indicators of compromise.
If signs of exploitation are found, administrators should rotate machine keys following guidelines outlined here. The process involves backing up the web.config file, generating new machine keys in IIS Manager under the ASP.NET section, and restarting IIS on all worker nodes.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
