Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution

Vulnerability / Encryption

Huntress is warning of a new actively exploited vulnerability in Gladinet’s CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far.

“Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution,” security researcher Bryan Masters said.

The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution, the cybersecurity company added.

At its core, the issue is rooted in a function named "GenerateSecKey()" present in “GladCtrl64.dll” that’s used to generate the cryptographic keys necessary to encrypt access tickets containing authorization data (i.e., Username and Password) and enable access to the file system as a user, assuming the credentials are valid.

Because the GenerateSecKey() function returns the same 100-byte text strings and these strings are used to derive the cryptographic keys, the keys never change and can be weaponized to decrypt any ticket generated by the server or even encrypt one of the attacker’s choosing.

This, in turn, opens the door to a scenario where it can be exploited to access files containing valuable data, such as the web.config file, and obtain the machine key required to perform remote code execution via ViewState deserialization.

The attacks, according to Huntress, take the form of specially crafted URL requests to the “/storage/filesvr.dn” endpoint, such as below -

/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu

The attack efforts have been found to leave the Username and Password fields blank, causing the application to fall back to the IIS Application Pool Identity. What’s more, the timestamp field in the access ticket, which refers to the creation time of the ticket, is set to 9999, effectively creating a ticket that never expires, allowing the threat actors to reuse the URL indefinitely and download the server configuration.

As of December 10, as many as nine organizations have been affected by the newly disclosed flaw. These organizations belong to a wide range of sectors, such as healthcare and technology. The attacks originate from the IP address 147.124.216[.]205 and attempt to chain together a previously disclosed flaw in the same applications (CVE-2025-11371) with the new exploit to access the machine key from the web.config file.

“Once the attacker was able to obtain the keys, they performed a viewstate deserialization attack and then attempted to retrieve the output of the execution, which failed,” Huntress said.

In light of active exploitation, organizations that are using CentreStack and Triofox should update to the latest version, 16.12.10420.56791, released on December 8, 2025. Additionally, it’s advised to scan logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which is the encrypted representation of the web.config file path.

In the event indicators or compromise (IoCs) are detected, it’s imperative that the machine key is rotated by following the steps below -

• On Centrestack server, go to Centrestack installation folder C:\Program Files (x86)\Gladinet Cloud Enterprise\root
• Make a backup of web.config
• Open IIS Manager
• Navigate to Sites -> Default Web Site
• In the ASP.NET section, double click Machine Key
• Click ‘Generate Keys’ on the right pane
• Click Apply to save it to root\web.config
• Restart IIS after repeating the same step for all worker nodes

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.