Full Report
Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. "Threat actors can potentially abuse this as a way to access the web.config file, opening the door for deserialization and remote code execution," security researcher Bryan Masters said.
Analysis Summary
# Vulnerability: Hard-Coded Cryptographic Keys Leading to RCE in Gladinet/Triofox
## CVE Details
- CVE ID: Not explicitly provided in the text (Note: A previously disclosed flaw, CVE-2025-11371, is referenced but is not the current vulnerability being detailed).
- CVSS Score: Not explicitly provided.
- CWE: CWE-798 (Use of Hard-coded Credentials) or related cryptographic weakness.
## Affected Systems
- Products: Gladinet CentreStack and Triofox.
- Versions: All versions prior to 16.12.10420.56791 (released December 8, 2025).
- Configurations: Default configurations where hard-coded keys are in use.
## Vulnerability Description
The vulnerability stems from the use of hard-coded cryptographic keys used to encrypt access tickets, generated by the `GenerateSecKey()` function within `GladCtrl64.dll`. Since the function consistently returns the same 100-byte strings to derive the keys, these keys are static and predictable. Threat actors can use these known keys to decrypt legitimate access tickets or forge their own. Decryption allows access to sensitive files such as `web.config`. Access to `web.config` exposes the machine key necessary to execute a ViewState deserialization attack, which can lead to Remote Code Execution (RCE).
## Exploitation
- Status: Actively exploited in the wild (reported on nine organizations).
- Complexity: Assumed Low, as the keys are hard-coded and specific attack vectors are known.
- Attack Vector: Network (via specially crafted URL requests to the `/storage/filesvr.dn` endpoint).
## Impact
- Confidentiality: High (Access to sensitive configuration files like `web.config`, credentials/authorization data within tickets).
- Integrity: High (Ability to execute arbitrary code via RCE).
- Availability: Potential impact due to system compromise.
## Remediation
### Patches
- Update to the latest version: **16.12.10420.56791** (released December 8, 2025) or later for both CentreStack and Triofox.
### Workarounds
1. **Log Scanning:** Scan logs for the specific indicator string `"vghpI7EToZUDIZDdprSubL3mTZ2"`, which represents the encrypted path to `web.config`.
2. **Machine Key Rotation (If Compromised):**
* Backup the existing `web.config` in the installation folder (`C:\Program Files (x86)\Gladinet Cloud Enterprise\root`).
* In IIS Manager, navigate to the Default Web Site.
* In the ASP.NET section, select Machine Key.
* Click 'Generate Keys' and apply the change to `root\web.config`.
* Repeat this process for all worker nodes.
* Restart IIS.
## Detection
- Indicators of Compromise (IoCs):
* Presence of specially crafted URL requests targeting the `/storage/filesvr.dn` endpoint (e.g., `/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu`).
* Attempts to chain this exploit with the previously disclosed LFI flaw (CVE-2025-11371).
- Detection Methods and Tools: Reviewing web server/application logs for the specific malicious request pattern and the IoC string mentioned above.
## References
- Vendor Advisory (CentreStack Update): hxxps://www.centrestack.com/p/gce_latest_release.html
- Vendor Advisory (Triofox Releases): hxxps://access.triofox.com/releases_history/
- Machine Key Rotation Guide: hxxps://support.centrestack.com/hc/en-us/articles/360007159054-Hardening-the-CentreStack-Cluster#h_01JQRV57T37HJFQZKBZH9NBXQP
- Research/Advisory Source: hxxps://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability