Excerpt from IIS logs highlight recent attack
Gladinet is facing fresh trouble once again: vulnerabilities have been uncovered in its CentreStack and Triofox products stemming from embedded, hardcoded cryptography. According to Huntress, the AES implementation relies on fixed keys, allowing attackers to forge “access tickets” for file downloads and gain access to the web.config file. This, in turn, opens a direct path to stealing the ASP.NET machineKey and launching further attacks via ViewState deserialization—potentially culminating in remote code execution. Researchers stress that exploitation is already occurring in the wild and urge immediate upgrades to version 16.12.10420.56791.
At the heart of the issue lies a request handler that accepts a parameter containing an encrypted “ticket,” which encodes both the requested resource and the associated permissions. In a secure design, such tickets should be bound to unique, secret keys specific to each server. Huntress discovered, however, that both the encryption key and initialization vector are effectively immutable, derived each time from the same static strings embedded within the product’s library. This means that once an attacker obtains these values, they can potentially decrypt legitimate tickets or generate their own, enabling unauthorized access to sensitive files on the server.
From there, the attack follows a well-known IIS exploitation chain. By retrieving web.config, an attacker can extract the machineKey that safeguards ViewState integrity. With this key in hand, forging ViewState data becomes feasible, paving the way for deserialization attacks that, in the worst case, result in full remote code execution. The technique itself is well established, and within the Gladinet ecosystem it has surfaced before: the NVD describes CVE-2025-30406 as a deserialization vulnerability tied to a hardcoded machineKey and notes that it, too, has been actively exploited in the wild.
Huntress further reports that, in observed incidents, attackers initially attempted to leverage a previously known LFI flaw (CVE-2025-11371) before switching to this new avenue to extract web.config and escalate to ViewState-based attacks. As of December 10, nine organizations across multiple industries had been affected, with exploitation attempts linked, among others, to the IP address 147.124.216[.]205.
For defenders, the guidance is clear. Gladinet has released updates, and the foremost recommendation is to upgrade without delay to the latest build, 16.12.10420.56791. Crucially, administrators must then rotate or regenerate the machineKey; otherwise, any previously compromised key will remain usable even after patching. For threat hunting, Huntress also advises searching logs for distinctive fragments that appear in requests targeting web.config, while cautioning that full IoC strings may prove unreliable due to time-dependent variables.
