Dec 11, 2025Ravie LakshmananVulnerability / Encryption
Huntress is warning of a brand new actively exploited vulnerability in Gladinet’s CentreStack and Triofox merchandise stemming from using hard-coded cryptographic keys which have affected 9 organizations to date.
“Risk actors can probably abuse this as a strategy to entry the online.config file, opening the door for deserialization and distant code execution,” safety researcher Bryan Masters mentioned.
The usage of hard-coded cryptographic keys may permit menace actors to decrypt or forge entry tickets, enabling them to entry delicate recordsdata like internet.config that may be exploited to realize ViewState deserialization and distant code execution, the cybersecurity firm added.
At its core, the problem is rooted in a perform named “GenerateSecKey()” current in “GladCtrl64.dll” that is used to generate the cryptographic keys essential to encrypt entry tickets containing authorization knowledge (i.e., Username and Password) and allow entry to the file system as a consumer, assuming the credentials are legitimate.
As a result of the GenerateSecKey() perform returns the identical 100-byte textual content strings and these strings are used to derive the cryptographic keys, the keys by no means change and may be weaponized to decrypt any ticket generated by the server and even encrypt one of many attacker’s selecting.
This, in flip, opens the door to a situation the place it may be exploited to entry recordsdata containing worthwhile knowledge, reminiscent of the online.config file, and acquire the machine key required to carry out distant code execution by way of ViewState deserialization.
The assaults, in accordance with Huntress, take the type of specifically crafted URL requests to the “/storage/filesvr.dn” endpoint, reminiscent of under –
/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxLpercent7C372varAu
The assault efforts have been discovered to go away the Username and Password fields clean, inflicting the applying to fall again to the IIS Software Pool Identification. What’s extra, the timestamp area within the entry ticket, which refers back to the creation time of the ticket, is about to 9999, successfully making a ticket that by no means expires, permitting the menace actors to reuse the URL indefinitely and obtain the server configuration.
As of December 10, as many as 9 organizations have been affected by the newly disclosed flaw. These organizations belong to a variety of sectors, reminiscent of healthcare and know-how. The assaults originate from the IP tackle 147.124.216[.]205 and try and chain collectively a beforehand disclosed flaw in the identical purposes (CVE-2025-11371) with the brand new exploit to entry the machine key from the online.config file.
“As soon as the attacker was capable of acquire the keys, they carried out a viewstate deserialization assault after which tried to retrieve the output of the execution, which failed,” Huntress mentioned.
In gentle of energetic exploitation, organizations which might be utilizing CentreStack and Triofox ought to replace to the most recent model, 16.12.10420.56791, launched on December 8, 2025. Moreover, it is suggested to scan logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which is the encrypted illustration of the online.config file path.
Within the occasion indicators or compromise (IoCs) are detected, it is crucial that the machine key’s rotated by following the steps under –
On Centrestack server, go to Centrestack set up folder C:Program Recordsdata (x86)Gladinet Cloud Enterpriseroot
Make a backup of internet.config
Open IIS Supervisor
Navigate to Websites -> Default Net Website
Within the ASP.NET part, double click on Machine Key
Click on ‘Generate Keys’ on the appropriate pane
Click on Apply to reserve it to rootweb.config
Restart IIS after repeating the identical step for all employee nodes
