A newly uncovered security flaw in Gladinet’s CentreStack and Triofox products has opened the door to dangerous remote code execution (RCE) attacks, and hackers are wasting no time exploiting it. The vulnerability, tied to a broken cryptographic implementation, allows threat actors to extract hardcoded encryption keys, impersonate users, and ultimately execute malicious code on affected systems.
Although the flaw is still undocumented and unassigned an official CVE ID, Gladinet has confirmed active exploitation and is urging all customers to update immediately.
What Went Wrong?
A Deep Dive into the Cryptographic Weakness
Security researchers discovered that the core of the problem lies in a custom AES encryption implementation within CentreStack and Triofox. Instead of using unique, system-derived keys, the software relied on hardcoded encryption keys and IVs stored inside a DLL file named GladCtrl64.dll.
These keys were:
- Hardcoded directly into the product
- Derived from two identical 100-byte strings containing Chinese and Japanese text
- Shared across every installation of CentreStack and Triofox worldwide
This means any attacker who extracts the keys once can:
✔ Decrypt authentication “Access Tickets”
✔ Forge their own tickets
✔ Impersonate legitimate users
✔ Request any file stored on the server
✔ Gain the foothold needed for full RCE
Huntress, the cybersecurity firm investigating the attacks, confirmed that threat actors were generating fake tickets with timestamps set to the year 9999 — making them effectively never expire.
How Hackers Turned a Crypto Bug into Full Remote Code Execution
Once attackers forged valid Access Tickets, the next move was to request the server’s web.config file — a sensitive configuration file containing the machineKey.
With the machineKey in hand, attackers exploited a known ViewState deserialization flaw, giving them the ability to run arbitrary code on the server.
This chain of exploitation — from decrypting tickets to executing code — makes the vulnerability extremely dangerous.
Huntress confirmed at least nine organizations were targeted as of December 10, including companies in:
- Healthcare
- Technology
- Professional services
An attacker IP address linked to exploitation attempts was identified as: 147.124.216[.]205. No formal attribution has been made yet.
Why This Vulnerability Is So Serious
This flaw poses a severe risk because:
- It allows unauthenticated attackers to impersonate any user
- Hardcoded keys mean all installations are equally vulnerable
- Attackers can access sensitive data, credentials, and files
- It leads to full remote code execution, enabling complete compromise
- Active exploitation is already happening in the wild
Researchers warn that simply patching isn’t enough — keys must also be rotated after updating.
How to Protect Your Organization
Immediate Actions Recommended by Gladinet & Huntress
Gladinet urges all customers to:
1. Update to the latest version
Install version 16.12.10420.56791 (released December 8) immediately.
2. Rotate machine keys
Because attackers may have already extracted machineKeys, rotation is essential.
3. Check logs for this IoC string:
vghpI7EToZUDIZDdprSubL3mTZ2
This unique string is tied to encrypted file paths and is considered the most reliable indicator of compromise.
4. Review Huntress’ Mitigation Guidance
Huntress has published detailed IoCs and remediation steps defenders can use to determine whether their systems were breached.
Additional Attacks: Linked to Older Vulnerability CVE-2025-30406
The new cryptographic flaw is being exploited alongside an older vulnerability, CVE-2025-30406, a local file inclusion bug that allows unauthorized access to system files.
When combined, the attack surface expands significantly — helping attackers escalate from simple file access to full system compromise.
Conclusion
The Gladinet CentreStack and Triofox vulnerability highlights a critical lesson for IT teams: custom cryptographic implementations are dangerous, especially when they rely on shared hardcoded keys.
With active exploitation confirmed, organizations running affected versions must act fast. Updating, rotating keys, scanning logs, and reviewing Huntress’ findings are essential steps to prevent long-term compromise.
Cyber attackers are getting faster, smarter, and more coordinated — but with quick action and the right security practices, organizations can stay ahead of the threat.
Read Now :-BRICKSTORM Malware: The Invisible Cyber Attack That Could Already Be Inside