Ethical Hacking News
A recently disclosed vulnerability in Gladinet's CentreStack and Triofox products poses significant risks to organizations using these applications. Hard-coded cryptographic keys leave a backdoor for threat actors to exploit, including ViewState deserialization attacks and remote code execution. Upgrading to the latest version of the software and implementing key rotation procedures are highly recommended to mitigate this risk.
Threat actors have discovered a vulnerability in Gladinet's CentreStack and Triofox products (CVE-2025-11371) that exposes organizations to unauthorized access and remote code execution. The vulnerability is due to the use of hard-coded cryptographic keys that can be manipulated by threat actors. The vulnerability has already been exploited in nine organizations across various sectors, including healthcare and technology. Successful exploitation involves ViewState deserialization attacks and attempts to retrieve the output of the execution. Mitigation includes updating to the latest version available and scanning logs for specific strings related to encrypted web.config files. Organizations that have fallen victim to exploits should rotate their machine keys by following specific steps.
Threat actors have recently discovered a newly disclosed vulnerability in Gladinet's CentreStack and Triofox products, which exposes organizations to unauthorized access and remote code execution. The vulnerability, identified as CVE-2025-11371, is attributed to the use of hard-coded cryptographic keys that are generated by the "GenerateSecKey()" function present in the "GladCtrl64.dll" file.
The "GenerateSecKey()" function returns a fixed 100-byte text string that serves as the basis for deriving the cryptographic keys used by the applications. Due to the nature of this function, the resulting cryptographic keys never change and can be manipulated to decrypt any ticket generated by the server or even encrypt one's own choosing. This presents an opportunity for threat actors to access sensitive files and gain unauthorized access to the system.
The vulnerability has already been exploited in nine organizations across various sectors, including healthcare and technology. These exploits take the form of specially crafted URL requests that aim to chain together previously disclosed flaws with this new exploit, aiming to bypass security controls and gain access to machine keys contained within web.config files.
According to security researcher Bryan Masters, once a threat actor is able to obtain these keys, they can proceed with ViewState deserialization attacks and attempt to retrieve the output of the execution. The attack has already demonstrated successful exploitation, leaving organizations vulnerable due to the use of such hard-coded cryptographic keys.
To mitigate this vulnerability, it is highly recommended that organizations using CentreStack and Triofox update to the latest version available, which includes patching for CVE-2025-11371. Additionally, scanning logs should be conducted to detect the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," representing the encrypted web.config file path.
Furthermore, if an organization has already fallen victim to these exploits and has discovered any IoCs (Indicators of Compromise), it is crucial that they rotate their machine keys by following specific steps for each Centrestack server:
1. Back up the "web.config" file.
2. Open IIS Manager.
3. Navigate to Sites -> Default Web Site.
4. In the ASP.NET section, double-click on Machine Key.
5. Click 'Generate Keys' on the right-hand pane.
6. Click Apply to save the new key in "root\web.config".
7. Restart IIS after repeating this process for all worker nodes.
By implementing these steps and keeping up-to-date with the latest patches, organizations can safeguard themselves against such vulnerabilities and prevent potential threats from breaching their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Newly-Disclosed-Vulnerability-in-Gladinets-CentreStack-and-Triofox-Products-Exposes-Organizations-to-Unauthorized-Access-and-Remote-Code-Execution-ehn.shtml
https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.html
https://www.securityweek.com/huntress-documents-in-the-wild-exploitation-of-critical-gladinet-vulnerabilities/
https://nvd.nist.gov/vuln/detail/CVE-2025-11371
https://www.cvedetails.com/cve/CVE-2025-11371/
Published: Thu Dec 11 01:06:33 2025 by llama3.2 3B Q4_K_M
