A critical vulnerability in Gladinet’s CentreStack and Triofox products is being actively exploited by threat actors, according to a recent advisory from cybersecurity firm Huntress. The flaw stems from the use of hard-coded cryptographic keys, which allows attackers to potentially decrypt or forge access tickets, thereby gaining unauthorized access to sensitive system files. This active exploitation has already impacted nine organizations across various sectors, including healthcare and technology.
Security researcher Bryan Masters highlighted that threat actors could leverage this weakness to access the `web.config` file, enabling deserialization attacks and ultimately leading to remote code execution. The exploitation chain involves chaining this newly disclosed vulnerability with a previously identified flaw (CVE-2025-11371) in the same applications to extract the machine key from the `web.config` file.
Exploiting Hard-Coded Cryptographic Keys in CentreStack and Triofox
The root cause of the vulnerability lies within a function named “GenerateSecKey()” in the “GladCtrl64.dll” component. This function generates cryptographic keys essential for encrypting access tickets that contain authorization data, such as usernames and passwords. These tickets are used to grant access to the file system. However, the predictable nature of the generated keys is the core of the problem.
The “GenerateSecKey()” function consistently returns the same 100-byte text strings. These strings are then used to derive the cryptographic keys. Consequently, the keys never change, allowing attackers to decrypt any legitimate ticket generated by the server or craft their own encrypted tickets. This predictability is what enables the subsequent attacks on sensitive configuration files.
Furthermore, the attacks involve specially crafted URL requests targeting the “/storage/filesvr.dn” endpoint. These requests often leave the Username and Password fields blank, prompting the application to default to the IIS Application Pool Identity. Crucially, the timestamp field within the access ticket is set to an exceedingly high value, effectively creating a ticket that never expires. This allows attackers to reuse the malicious URL for an extended period, facilitating the download of server configurations.
Impact and Recommended Mitigation Strategies
As of December 10, 2025, nine organizations have fallen victim to attacks exploiting this vulnerability. The attacks, originating from IP address 147.124.216[.]205, aim to chain the current exploit with CVE-2025-11371 to obtain the machine key from the `web.config` file. Huntress reported that while attackers were able to obtain the keys and attempt a viewstate deserialization attack, the retrieval of execution output was unsuccessful in observed instances.
Huntress strongly advises organizations using CentreStack and Triofox to update to the latest version, 16.12.10420.56791, which was released on December 8, 2025. This patched version addresses the hard-coded cryptographic key issue. Additionally, it is recommended to scan system logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which represents the encrypted path to the `web.config` file.
In cases where indicators of compromise are detected, rotating the machine key is imperative. This process involves navigating to the CentreStack installation folder, backing up the `web.config` file, and then using the IIS Manager to generate new keys for the ASP.NET section. After generating new keys, IIS must be restarted on all worker nodes to ensure the changes are applied.
The ongoing exploitation of this vulnerability underscores the importance of proactive security measures and timely patching. Organizations are urged to implement the recommended updates and monitoring strategies to protect their systems from further attacks. The next steps for affected organizations include verifying the successful application of the patch and ensuring their security monitoring is configured to detect any residual signs of compromise.