Huntress has issued a warning regarding an actively exploited vulnerability in Gladinet CentreStack and Triofox products that stems from the use of hard coded cryptographic keys, an issue that has already impacted nine organizations. Security researcher Bryan Masters stated that actors can exploit this weakness to gain access to the web.config file, creating opportunities for deserialization and remote code execution. According to Huntress, the vulnerability arises from a function called GenerateSecKey() located within GladCtrl64.dll. This function is responsible for generating the cryptographic keys used to secure access tickets containing user authorization details. These access tickets allow credential validated entry to the file system, but because the function generates the same one hundred byte text strings for every instance, all derived cryptographic keys remain identical. This flaw enables decryption of any valid access ticket and gives actors the ability to forge new tickets with authorization of their choosing.
The nature of this weakness creates opportunities to acquire sensitive files, including the web.config file, which holds the machine key necessary to execute ViewState deserialization and ultimately remote code execution. Huntress reported that exploitation attempts are conducted by issuing specially formed URL requests to the storage filesvr endpoint. These requests omit both the Username and Password fields, forcing the application to revert to its IIS Application Pool Identity and enabling unauthorized access. Furthermore, the timestamp field within the forged access ticket is set to 9999, ensuring that the ticket never expires and can therefore be reused indefinitely. This allows repeated download attempts of server configuration data without limitation. Attackers have been observed chaining this flaw with CVE 2025 11371, a previously disclosed vulnerability affecting the same applications, to obtain the machine key after accessing the web.config file.
As of December 10, nine organizations across sectors including healthcare and technology have been affected. Huntress noted that attack attempts originate from IP address 147.124.216.205 and involve a coordinated series of actions intended to extract configuration data and execute remote commands. Researchers stated that after obtaining the cryptographic keys, the actor attempted a ViewState deserialization attack and sought to retrieve the output of the execution, though this specific effort was unsuccessful. The vulnerability has not yet been assigned a CVE identifier, but Huntress has emphasized the severity of the flaw due to its simplicity and the potential for significant unauthorized access. The organization has urged customers using CentreStack and Triofox to update to the latest version, 16.12.10420.56791, which was released on December 8, 2025, to mitigate risk. Logs should also be reviewed for the presence of the string vghpI7EToZUDIZDdprSubL3mTZ2, which signals an attempt to access the encrypted path of the web.config file.
Huntress also highlighted the importance of rotating the machine key if indicators of compromise are detected. This process requires administrators to access the Centrestack installation location, back up the web.config file, and use IIS Manager to generate new machine keys for each worker node before restarting IIS. This newly disclosed flaw marks the third known vulnerability in these products that has been actively exploited this year, following CVE 2025 30406 and CVE 2025 11371. Huntress analysts have noted the possibility that a single actor may be responsible for the activity, as all three vulnerabilities appear to be chained in a coordinated progression. Senior analyst Anna Pham stated that the workflow used to link the vulnerabilities demonstrates clear familiarity with Gladinet’s security history, suggesting that the actor behind the recent activity likely possesses extensive background knowledge of previously disclosed flaws.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
