Attackers are actively exploiting a critical cryptographic vulnerability in Gladinet's CentreStack and Triofox products, which are used for secure remote file access and sharing. The flaw stems from the use of hard-coded cryptographic keys within the GladCtrl64.dll component, allowing threat actors to decrypt or forge access tickets and gain unauthorized access to sensitive files, including web.config. This access can be leveraged to obtain machine keys and achieve remote code execution via ViewState deserialization. Security researchers from Huntress have observed at least nine organizations targeted by these attacks, with exploitation occurring in the wild and Gladinet issuing advisories and updates to mitigate the risk.
The vulnerability is rooted in a custom implementation of the AES algorithm, where static 100-byte strings are used to derive encryption keys and initialization vectors, making them identical across all installations. Attackers can craft malicious requests to the /storage/filesvr.dn endpoint, bypassing authentication and impersonating users. Gladinet has provided indicators of compromise (IoCs) and urged customers to update to the latest versions released on November 29. The attacks highlight the risks of insecure cryptographic practices and the importance of timely patching in enterprise environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Gladinet released fixes for CentreStack and Triofox, with customers advised to upgrade to version 16.12.10420.56791. The company and researchers also recommended rotating or randomizing machine keys and reviewing logs for compromise if immediate patching was not possible.
Public reporting disclosed that attackers could chain the hard-coded key issue with the previously disclosed CVE-2025-11371 local file inclusion flaw to escalate attacks, including access to files such as web.config and ViewState deserialization for RCE. Huntress published detection guidance and indicators of compromise, including suspicious log strings and crafted URL requests used to create persistent access tickets.
Threat actors actively exploited an undocumented cryptographic flaw in Gladinet CentreStack and Triofox that exposed hard-coded AES keys, allowing forged or decrypted access tickets, unauthorized file access, and remote code execution. At least nine organizations across sectors including healthcare and technology were affected, and activity was linked to IP address 147.124.216.205.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
csoonline.com
Open sourcethehackernews.com
Open sourcebleepingcomputer.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.