Huntress is warning of a brand new actively exploited vulnerability in Gladinet’s CentreStack and Triofox merchandise stemming from the usage of hard-coded cryptographic keys which have affected 9 organizations to date.
“Risk actors can doubtlessly abuse this as a strategy to entry the online.config file, opening the door for deserialization and distant code execution,” security researcher Bryan Masters mentioned.
The usage of hard-coded cryptographic keys may enable risk actors to decrypt or forge entry tickets, enabling them to entry delicate recordsdata like internet.config that may be exploited to attain ViewState deserialization and distant code execution, the cybersecurity firm added.
At its core, the problem is rooted in a perform named “GenerateSecKey()” current in “GladCtrl64.dll” that is used to generate the cryptographic keys essential to encrypt entry tickets containing authorization knowledge (i.e., Username and Password) and allow entry to the file system as a person, assuming the credentials are legitimate.
As a result of the GenerateSecKey() perform returns the identical 100-byte textual content strings and these strings are used to derive the cryptographic keys, the keys by no means change and will be weaponized to decrypt any ticket generated by the server and even encrypt one of many attacker’s selecting.
This, in flip, opens the door to a state of affairs the place it may be exploited to entry recordsdata containing invaluable knowledge, akin to the online.config file, and procure the machine key required to carry out distant code execution by way of ViewState deserialization.
The assaults, in response to Huntress, take the type of specifically crafted URL requests to the “/storage/filesvr.dn” endpoint, akin to under –
/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxLpercent7C372varAu
The assault efforts have been discovered to depart the Username and Password fields clean, inflicting the appliance to fall again to the IIS Software Pool Id. What’s extra, the timestamp discipline within the entry ticket, which refers back to the creation time of the ticket, is ready to 9999, successfully making a ticket that by no means expires, permitting the risk actors to reuse the URL indefinitely and obtain the server configuration.
As of December 10, as many as 9 organizations have been affected by the newly disclosed flaw. These organizations belong to a variety of sectors, akin to healthcare and know-how. The assaults originate from the IP deal with 147.124.216[.]205 and try and chain collectively a beforehand disclosed flaw in the identical purposes (CVE-2025-11371) with the brand new exploit to entry the machine key from the online.config file.
“As soon as the attacker was capable of receive the keys, they carried out a viewstate deserialization assault after which tried to retrieve the output of the execution, which failed,” Huntress mentioned.
In mild of energetic exploitation, organizations which are utilizing CentreStack and Triofox ought to replace to the most recent model, 16.12.10420.56791, launched on December 8, 2025. Moreover, it is suggested to scan logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which is the encrypted illustration of the online.config file path.
Within the occasion indicators or compromise (IoCs) are detected, it is crucial that the machine secret is rotated by following the steps under –
- On Centrestack server, go to Centrestack set up folder C:Program Information (x86)Gladinet Cloud Enterpriseroot
- Make a backup of internet.config
- Open IIS Supervisor
- Navigate to Websites -> Default Net Website
- Within the ASP.NET part, double click on Machine Key
- Click on ‘Generate Keys’ on the precise pane
- Click on Apply to put it aside to rootweb.config
- Restart IIS after repeating the identical step for all employee nodes
