Imagine this: a hidden backdoor in your organization's file-sharing system, silently granting unauthorized access to sensitive data. This isn't a hypothetical scenario; it's the chilling reality for nine organizations that have fallen victim to a newly discovered vulnerability in Gladinet's CentreStack and Triofox products. But here's where it gets even more alarming: this vulnerability stems from a seemingly innocuous practice – the use of hard-coded cryptographic keys.
Huntress, a leading cybersecurity firm, has sounded the alarm about this actively exploited flaw. Security researcher Bryan Masters explains, 'Threat actors can potentially leverage this vulnerability to access the web.config file, a critical component that, when compromised, can lead to deserialization and remote code execution.'
And this is the part most people miss: the heart of the problem lies within a function called 'GenerateSecKey()' nestled within the 'GladCtrl64.dll' file. This function, responsible for generating cryptographic keys to secure access tickets, is fatally flawed. It consistently produces the same 100-byte text strings, rendering the keys static and easily exploitable. This means attackers can decrypt any ticket generated by the server or even create their own, effectively bypassing security measures.
The consequences are dire. Attackers can gain access to files containing valuable data, such as the web.config file, and extract the machine key. This key, a digital skeleton key, allows them to execute arbitrary code remotely through a process called ViewState deserialization.
The attacks themselves are surprisingly straightforward. They involve specially crafted URL requests to the '/storage/filesvr.dn' endpoint, like the example below:
/storage/filesvr.dn t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu
Interestingly, these attacks leave the Username and Password fields blank, exploiting a fallback mechanism that uses the IIS Application Pool Identity. Furthermore, the timestamp field in the access ticket is set to 9999, creating an effectively immortal ticket that allows attackers to reuse the URL indefinitely and download sensitive server configurations.
As of December 10th, nine organizations across diverse sectors like healthcare and technology have been compromised. The attacks originate from the IP address 147.124.216[.]205 and attempt to combine this new exploit with a previously disclosed vulnerability (CVE-2025-11371) to gain access to the machine key from the web.config file.
Huntress reports that attackers, after obtaining the keys, attempted a viewstate deserialization attack but failed to retrieve the execution output. This suggests a level of sophistication and persistence in these attacks.
Is this the tip of the iceberg? Could other organizations be silently compromised? The potential for widespread damage is undeniable.
Organizations using CentreStack and Triofox must act immediately. Updating to the latest version, 16.12.10420.56791, released on December 8th, 2025, is crucial. Additionally, scanning logs for the string 'vghpI7EToZUDIZDdprSubL3mTZ2', the encrypted path to the web.config file, is essential for detecting potential breaches. If indicators of compromise (IoCs) are found, rotating the machine key is imperative. This involves a series of steps within the Centrestack server environment, including backing up the web.config file, generating new keys through IIS Manager, and restarting the IIS service.
The use of hard-coded keys, while seemingly convenient, is a glaring security vulnerability. This incident serves as a stark reminder of the importance of robust cryptographic practices and the constant vigilance required to protect sensitive data in an increasingly interconnected world.
What are your thoughts on this vulnerability? Do you think the use of hard-coded keys is ever justifiable, or is it an inherently dangerous practice? Let us know in the comments below.
Stay informed about the latest cybersecurity threats and vulnerabilities. Follow us on Google News, Twitter, and LinkedIn for exclusive content and updates.
