Huntress warns that a new vulnerability in Gladinet’s CentreStack and Triofox products due to the use of hard-coded encryption keys is being actively exploited, affecting nine organizations so far.
“An attacker could exploit this as a way to access the web.config file, potentially opening the door to deserialization and remote code execution,” security researcher Brian Masters said.
Hardcoded cryptographic keys can allow an attacker to decrypt or forge access tickets, gaining access to sensitive files such as Web.config, which could be exploited for ViewState deserialization or remote code execution, the cybersecurity firm added.
The crux of the issue lies in a function named “GenerateSecKey()” located in “GladCtrl64.dll”. This function is used to encrypt the access ticket containing the authentication data (username and password) and generate the encryption key needed to allow you to access the file system as the user, assuming the credentials are valid.
Because the GenerateSecKey() function returns the same 100-byte text strings and these strings are used to derive the cryptographic keys, the keys never change and can be weaponized to decrypt tickets generated by the server or to encrypt tickets of the attacker’s choosing.
This opens the door to a scenario where files containing valuable data, such as web.config files, can be exploited to obtain the machine key needed for remote code execution via ViewState deserialization.
According to Huntress, the attack takes the form of a specially crafted URL request to the “/storage/filesvr.dn” endpoint, similar to the following:
/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu
This attack was found to leave the username and password fields blank, causing the application to fall back to the IIS application pool identity. Additionally, the access ticket’s timestamp field, which indicates when the ticket was created, is set to 9999, effectively creating a ticket that never expires and allowing an attacker to reuse the URL indefinitely to download server configurations.
As of December 10th, there are nine organizations affected by the newly disclosed flaw. These organizations come from a wide range of sectors, including healthcare and technology. The attack originates from IP address 147.124.216.[.]205 and attempts to chain a previously disclosed flaw (CVE-2025-11371) in the same application with a new exploit that accesses machine keys from the web.config file.
“Once the attacker had the key, he attempted to perform a view state deserialization attack and retrieve the resulting output, but was unsuccessful,” Huntress said.
In light of active exploitation, organizations using CentreStack and Triofox should update to the latest version 16.12.10420.56791, released on December 8, 2025. Additionally, we recommend scanning the logs for the presence of the string “vghpI7EToZUDIZDdprSubL3mTZ2”, which is an encrypted representation of the web.config file path.
If an indicator or compromise (IoC) is detected, it is mandatory to rotate the machine key by following the steps below.
On the Centrestack server, navigate to the Centrestack installation folder C:\Program Files (x86)\Gladinet Cloud Enterprise\root. Create a backup of web.config. Open IIS Manager.[サイト]->[既定の Web サイト]Move to. In the ASP.NET section, double-click the machine key. in the right pane[キーの生成]Click.[適用]Click and save to root\web.config. Repeat the same steps for all worker nodes, then restart IIS.
Source link
