Cybersecurity researchers are warning of ongoing attacks targeting Gladinet CentreStack and Triofox deployments, where threat actors are actively exploiting a weakness caused by hard coded cryptographic keys. According to new findings from Huntress, at least nine organizations have already been impacted.
Security researcher Bryan Masters explained that the flaw allows attackers to access sensitive configuration files such as web.config, which can then be abused to trigger deserialization attacks and ultimately achieve remote code execution.
Huntress stated that the root cause lies in the unsafe implementation of cryptographic key generation within Gladinet software. Because the keys are hard coded, attackers can decrypt or forge access tickets. These tickets provide unauthorized access to protected files, including web.config, which contains secrets required to perform ViewState deserialization attacks. The vulnerability has not yet been assigned a CVE identifier.
At a technical level, the issue originates from a function called GenerateSecKey() inside the GladCtrl64.dll library. This function is responsible for generating cryptographic material used to encrypt access tickets that store authorization details such as usernames and passwords. However, the function consistently returns the same 100 byte string, meaning the derived cryptographic keys never change. As a result, any attacker who understands this mechanism can decrypt tickets generated by the server or craft their own malicious tickets.
This behavior creates a clear exploitation path. By forging valid looking access tickets, attackers can retrieve sensitive files from the server, including web.config. Once this file is obtained, the machine key stored within it can be extracted and used to conduct ViewState deserialization attacks, enabling remote code execution on the affected system.
Huntress observed that the attacks rely on specially crafted URL requests sent to the /storage/filesvr.dn endpoint. These requests are designed so that the Username and Password fields remain empty, forcing the application to fall back to the IIS Application Pool Identity. Additionally, the timestamp embedded in the access ticket is set to a far future value, effectively creating a ticket that never expires. This allows attackers to reuse the same malicious URL repeatedly to download server configuration data.
As of December 10, nine organizations across sectors such as healthcare and technology have been confirmed as victims. The malicious activity has been traced back to the IP address 147.124.216[.]205. Investigators noted that attackers are chaining this newly identified flaw with a previously disclosed vulnerability, CVE-2025-11371, to extract the machine key from web.config and advance the attack.
Huntress reported that after successfully retrieving the cryptographic keys, attackers attempted to carry out a ViewState deserialization attack. While the observed execution attempt failed, the behavior confirms a clear intent to gain code execution capabilities.
Due to active exploitation in the wild, organizations using CentreStack and Triofox are strongly advised to upgrade to version 16.12.10420.56791, which was released on December 8, 2025. Defenders are also encouraged to review logs for the presence of the string vghpI7EToZUDIZDdprSubL3mTZ2, which corresponds to the encrypted path of the web.config file.
If indicators of compromise are identified, it is critical to rotate the machine key immediately. This process involves backing up the existing web.config file, generating new keys through the IIS Manager, applying the changes across all worker nodes, and restarting IIS services to ensure the new keys take effect.
This marks the third Gladinet related vulnerability under active exploitation this year, following CVE-2025-30406 and CVE-2025-11371. Huntress told The Hacker News that the attacks may be linked to a single threat actor.
According to Anna Pham, there is strong circumstantial evidence suggesting that the same attacker is chaining all three vulnerabilities into a coordinated attack sequence. The structured workflow and reuse of known exploits indicate deep familiarity with Gladinet’s vulnerability history.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
