Enterprises relying on Gladinet’s file-sharing services are faced with another round of zero-day patching, this time to block attackers from abusing cryptographic keys directly baked into its CentreStack and Triofox platforms.
Cybersecurity firm Huntress warned that attackers are already abusing the hardcoded keys to perform remote code execution (RCE) on the affected servers.
“The AES implementation of Gladinet’s CentreStack and Triofox products contains hardcoded cryptographic keys,” Huntress researchers said in a blog post. “We are seeing attackers target this flaw across our customer base.”
As with any internet facing server, remote code execution on CentreStack or Triofox can potentially lead to malware deployment, backdoor persistence, and credential theft. Huntress urged all CentreStack/Triofox customers to update to the latest version, 16.12.10420.56791, saying nine of its enterprise customers had already been affected.
Hardcoded keys, harder consequences
At the core of the issue is a design failure in how CentreStack and Triofox generate the cryptographic keys used to encrypt the access tokens the platforms uses to control who can retrieve what files. Huntress found that the server relies on a function called “GenerateSecKey()” to produce the AES key and initialization vector (IV) for ticket encryption — but instead of generating unique values, the function returns the same static 100-byte strings every time the service runs.
“Because the keys never change, we could extract them from memory once and use them to decrypt any ticket generated by the server or worse, encrypt our own,” the researchers said, adding that the keys were static strings of Chinese and Japanese text.
With that ability, an adversary can request any file the server is capable of serving, including the sensitive “web.config” file that contains the ASP.NET machine key.
With the machine key in hand, attackers can generate malicious ViewState payloads that the server will trust, enabling remote code execution through ASP.NET deserialization. Deserialization attacks leverage unsafe parsing of serialized objects (like ViewState in ASP.NET) to inject malicious payloads that run with the privilege of the web service.
Patch now
Huntress identified multiple active attacks with the threat actor first attempting to exploit CVE-2025-11371, a previously disclosed unauthenticated Local File Inclusion bug in CentreStack/ Triofox, followed by the new exploit. Both allowed attackers to obtain the web.config file containing the machine key.
No pre-requisites such as valid credentials or privileged access are needed for a successful attack beyond knowledge of the default keys. To mitigate the risk, Huntress urged all customers to update immediately to the latest builds released by Gladinet on December 8, as these contain fixes for the insecure cryptography.
Where immediate patching isn’t feasible, configuration changes to replace machine keys with randomized values can reduce risk until updates are deployed. Additionally, the huntress team shared the encrypted GET request for web.config as an indicator of compromise (IOC).
Gladinet has previously failed to completely patching a similar hardcoded-keys flaw as criminals found a way to revive exploit conditions on patched systems.
No Responses