Gladinet static keys abused for file access and RCE

Gladinet static keys abused for file access and RCE
December 11, 2025 at 12:00 AM

Hackers are actively exploiting a hard-coded AES key flaw in Gladinet CentreStack and Triofox to forge access tickets, read web.config, and pivot to ViewState deserialization for remote code execution (RCE). Huntress reports nine affected organizations across healthcare and technology. The weakness is now tracked as CVE-2025-14611 (CVSS 7.1) and appears in CISA’s Known Exploited Vulnerabilities catalog, with U.S. federal agencies required to patch by January 5, 2026.

How the exploit works

  • A vulnerable function, GenerateSecKey() in GladCtrl64.dll, always returns the same 100-byte text, producing static cryptographic keys.
  • With those keys, attackers can decrypt or forge access tickets to impersonate users and access sensitive files like web.config.
  • Crafted requests target /storage/filesvr.dn with a forged ticket parameter (t=...). Username and password fields are left blank, causing fallback to the IIS Application Pool Identity.
  • The ticket timestamp is set to 9999 so it never expires, letting attackers reuse the URL to repeatedly download server configuration.
  • After retrieving web.config, attackers extract the machineKey and use ViewState deserialization to attempt RCE.

Evidence and activity

  • As of December 10, at least nine organizations are impacted; observed traffic originates from 147.124.216[.]205.
  • Attackers attempt to chain CVE-2025-11371 with this flaw to access and leverage the machineKey; prior campaigns also involved CVE-2025-30406.
  • One observed attempt achieved ViewState deserialization but failed to exfiltrate execution output.
  • Log indicator: requests to /storage/filesvr.dn containing the string vghpI7EToZUDIZDdprSubL3mTZ2 (encrypted representation of the web.config path).

Impact

  • Unauthenticated arbitrary local file inclusion and remote code execution against publicly exposed endpoints.

What to do now

  • Patch immediately: upgrade CentreStack and Triofox to version 16.12.10420.56791 (released December 8, 2025).
  • Hunt for IOCs:
    • Search web logs for /storage/filesvr.dn and the string vghpI7EToZUDIZDdprSubL3mTZ2.
    • Review access from 147.124.216[.]205.
  • If compromise is suspected, rotate machine keys on every node:
    • On the CentreStack server, go to C:\Program Files (x86)\Gladinet Cloud Enterprise\root.
    • Back up web.config.
    • Open IIS Manager and navigate to Sites -> Default Web Site.
    • In the ASP.NET section, double-click Machine Key.
    • Click 'Generate Keys' and apply to save to root\web.config.
    • Repeat on all worker nodes and restart IIS.
  • Reduce exposure:
    • Limit public access to management and file-serving endpoints.
    • Add WAF rules to inspect or block suspicious /storage/filesvr.dn requests until patched.

Background

  • The flaw stems from hard-coded AES keys derived from constant output of GenerateSecKey(); because the keys never rotate, any server-issued ticket can be decrypted and attacker-created tickets can be accepted.
  • CISA warns this weak cryptoscheme degrades security of public endpoints and can enable unauthenticated local file inclusion via crafted requests.

Source: The Hacker News

Back…