Active Exploitation of Gladinet CentreStack and Triofox Cryptographic Flaw Enables Remote Code Execution
Attackers are actively exploiting a critical cryptographic vulnerability in Gladinet's CentreStack and Triofox products, which are used for secure remote file access and sharing. The flaw stems from the use of hard-coded cryptographic keys within the GladCtrl64.dll component, allowing threat actors to decrypt or forge access tickets and gain unauthorized access to sensitive files, including web.config. This access can be leveraged to obtain machine keys and achieve remote code execution via ViewState deserialization. Security researchers from Huntress have observed at least nine organizations targeted by these attacks, with exploitation occurring in the wild and Gladinet issuing advisories and updates to mitigate the risk.
The vulnerability is rooted in a custom implementation of the AES algorithm, where static 100-byte strings are used to derive encryption keys and initialization vectors, making them identical across all installations. Attackers can craft malicious requests to the /storage/filesvr.dn endpoint, bypassing authentication and impersonating users. Gladinet has provided indicators of compromise (IoCs) and urged customers to update to the latest versions released on November 29. The attacks highlight the risks of insecure cryptographic practices and the importance of timely patching in enterprise environments.
Timeline
Dec 11, 2025
Gladinet releases updates and urges customers to rotate machine keys
Gladinet released fixes for CentreStack and Triofox, with customers advised to upgrade to version 16.12.10420.56791. The company and researchers also recommended rotating or randomizing machine keys and reviewing logs for compromise if immediate patching was not possible.
Dec 11, 2025
Researchers reveal exploit chain with CVE-2025-11371 and publish IOCs
Public reporting disclosed that attackers could chain the hard-coded key issue with the previously disclosed CVE-2025-11371 local file inclusion flaw to escalate attacks, including access to files such as web.config and ViewState deserialization for RCE. Huntress published detection guidance and indicators of compromise, including suspicious log strings and crafted URL requests used to create persistent access tickets.
Dec 11, 2025
Attackers begin exploiting Gladinet hard-coded key flaw in the wild
Threat actors actively exploited an undocumented cryptographic flaw in Gladinet CentreStack and Triofox that exposed hard-coded AES keys, allowing forged or decrypted access tickets, unauthorized file access, and remote code execution. At least nine organizations across sectors including healthcare and technology were affected, and activity was linked to IP address 147.124.216.205.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Active Exploitation of Unpatched LFI Vulnerability in Gladinet CentreStack and TrioFox (CVE-2025-11371)
Attackers are actively exploiting a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox file-sharing and remote access platforms. This vulnerability is an unauthenticated local file inclusion (LFI) flaw that allows threat actors to access sensitive system files, including the application’s Web.config file. By retrieving the machine key from this configuration file, attackers can leverage a previously patched vulnerability, CVE-2025-30406, to achieve remote code execution (RCE) through ViewState deserialization attacks. Huntress, a cybersecurity firm, first detected exploitation of this flaw on September 26-27, 2025, and has confirmed that at least three customers have been impacted so far. The vulnerability affects all versions of CentreStack and TrioFox up to and including 16.7.10368.56560, and there is currently no official patch available from Gladinet. Both self-hosted and cloud-hosted deployments of these platforms are at risk, as the flaw impacts default installations and configurations. The exploitation chain involves using the LFI to extract the machine key, which is then used to craft malicious ViewState payloads that bypass integrity checks and enable arbitrary code execution on the server. Notably, Huntress observed successful exploitation even on systems that had already patched CVE-2025-30406, indicating that the previous fix was insufficient to fully mitigate the risk. In response, Huntress and other security experts recommend disabling the "temp" handler within the UploadDownloadProxy Web.config file as an immediate mitigation, though this may impact some platform functionality. Gladinet has acknowledged the vulnerability and its active exploitation but has not yet released a patch, urging customers to implement the recommended mitigations. The affected products are widely used by managed service providers, small businesses, and enterprises for secure file access and sharing, increasing the potential impact of this vulnerability. Attackers exploiting this flaw can gain full control over affected servers, leading to data theft, lateral movement, or further compromise of organizational networks. Security researchers are withholding some technical details to prevent further exploitation while a patch is developed. Organizations using CentreStack or TrioFox should urgently review their configurations and apply the recommended mitigations to reduce exposure. The incident highlights the risks associated with chained vulnerabilities and the importance of defense-in-depth strategies. Ongoing monitoring and threat detection are advised until a permanent fix is available. The situation remains fluid, with active exploitation continuing and the vendor working on a security update.
1 months ago
Clop Ransomware Data Extortion Attacks on Gladinet CentreStack and Triofox Servers
The Clop ransomware group has initiated a widespread data extortion campaign targeting Internet-exposed Gladinet CentreStack and Triofox file servers. Attackers are exploiting multiple vulnerabilities, including CVE-2025-11371 (an unauthenticated local file inclusion flaw), CVE-2025-14611 (hardcoded cryptographic keys), and CVE-2025-12480 (a critical remote code execution vulnerability in Triofox). These vulnerabilities allow unauthorized access, file retrieval, and even remote code execution, enabling Clop to steal sensitive corporate data and leave ransom notes on compromised systems. Security researchers and incident responders have observed active exploitation across at least 200 unique IP addresses, with evidence that both zero-day and unpatched n-day vulnerabilities are being leveraged. Gladinet CentreStack and Triofox are widely used by businesses for secure file storage and sharing, making the impact of these attacks potentially significant. The Clop group’s campaign follows their established pattern of targeting file transfer and sharing solutions, having previously compromised platforms such as MOVEit, GoAnywhere, and Oracle EBS. Security updates have been released by Gladinet to address some of the exploited flaws, but the ongoing attacks highlight the importance of timely patching and monitoring of Internet-facing file sharing infrastructure. Technical analysis by VulnCheck and Mandiant has provided detailed insights into the exploitation methods, emphasizing the complexity and sophistication of the attack chain.
1 months ago
CISA Adds Gladinet CentreStack and CWP Control Web Panel Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities—CVE-2025-11371 in Gladinet CentreStack/Triofox and CVE-2025-48703 in Control Web Panel (CWP)—to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. CVE-2025-11371 is a local file inclusion flaw in Gladinet CentreStack and Triofox that allows unauthenticated access to system files, with reports from Huntress indicating that threat actors have already targeted at least three organizations by running reconnaissance commands via Base64-encoded payloads. CVE-2025-48703 is an unauthenticated remote code execution vulnerability in CWP, exploitable via shell metacharacters in the `t_total` parameter of a filemanager request, though there are currently no public reports of this flaw being weaponized in real-world attacks. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by November 25, 2025, to mitigate these risks. Both Gladinet and Huntress have issued alerts and recommended workarounds for the actively exploited CentreStack/Triofox vulnerability, such as disabling the temp handler in the UploadDownloadProxy’s web configuration. The addition of these vulnerabilities to the KEV catalog underscores the urgency for organizations using these platforms to implement security updates and monitor for signs of exploitation, especially as technical details for the CWP flaw have been publicly disclosed, increasing the risk of future attacks.
1 months ago