Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution

Huntress has raised the alarm about a new vulnerability that is being actively exploited and it is related to the use of hard-coded cryptographic keys in Gladinet's CentreStack and Triofox products, which has already impacted nine companies.  

Bryan Masters, a security researcher, stated, "Threat actors may misuse this to get hold of the web.config file, which would eventually lead to deserialization and remote code execution."  

The hard-coded cryptosystem keys might let the intruders to decrypt or even create access tokens, thus allowing them to get to the web.config file that can be manipulated for ViewState deserialization and remote code execution, the security firm comments.  

Fundamentally, the problem is with a method called "GenerateSecKey()" found in "GladCtrl64.dll" that is responsible for making the cryptographic keys needed to encrypt access tickets bearing the authorization data (Username and Password) and thus granting file system access as if the user has valid credentials.  

As the GenerateSecKey() method always returns the same 100-byte random strings and these strings are the source for deriving the keys, the keys stay the same and can be misused to decrypt any ticket produced by the machine or even create one of the hacker's choice.  

Consequently, it is possible to have a situation where the vulnerability could be exploited to look into files with sensitive information, such as the web.config file, and get hold of the machine key needed for remote code execution via ViewState deserialization.  

According to Huntress, the attacks manifest as URL requests crafted in a specific way to the "/storage/filesvr.dn" endpoint, for example, as follows -

The assault methods have been reported to cause the Username and Password fields to be left empty, leading the program to default to the IIS Application Pool Identity. Additionally, the access ticket's timestamp field, which indicates when the ticket was created, is given the value of 9999, thereby granting the actors access to a never-ending ticket. They can then reuse the URL and download the server configuration without any time restrictions.

According to the recent data, the newly uncovered vulnerability has affected at least nine organizations as of December 10. All these organizations are from diverse industries including healthcare and technology. The attacks are traced back to the IP address 147.124.216[.]205 where the intruders are trying to combine the new exploit to access the machine key from the web.config file with the previously disclosed flaw in the same applications (CVE-2025-11371). 

"After getting the keys, the intruder was able to conduct a viewstate deserialization attack and then tried to get the output of the execution, which was unsuccessful," said Huntress.

Considering the fact of exploitation, it is highly recommended that the companies using CentreStack and Triofox update to the December 8, 2025, version 16.12.10420.56791, which is the latest. They should also check the logs for the occurrence of "vghpI7EToZUDIZDdprSubL3mTZ2," the encrypted form of the web.config file path.

When event indicators or compromise (IoCs) are found, it is mandatory to rotate the machine key through the following process -

• On the Centrestack server, open the Centrestack installation folder C:\Program Files (x86)\Gladinet Cloud Enterprise\root 

• Create a backup of web.config

• Launch IIS Manager

• Go to Sites -> Default Web Site

• In the ASP.NET section, double-click on Machine Key

• On the right pane, click on 'Generate Keys'

• Click on Apply to write it to root\web.config

• Did you find this article interesting? Follow us on Google News, Twitter, and LinkedIn to keep reading more exclusive content that we post.