Security firm Huntress reported active exploitation of a cryptographic weakness in Gladinet’s CentreStack and Triofox products that has affected nine organisations, including entities in the healthcare and technology sectors. Huntress researcher Bryan Masters said threat actors are leveraging the flaw to access sensitive configuration files.
The root cause is a function named GenerateSecKey() in GladCtrl64.dll that returns the same 100-byte text strings and uses those strings to derive encryption keys. Because the derived keys do not change, an attacker who knows the strings can decrypt or forge access tickets and thereby access protected files such as web.config, Huntress said.
Huntress detailed that the exploit involves specially crafted requests to the /storage/filesvr.dn endpoint and that attack tickets have left the Username and Password fields blank so the application falls back to the IIS Application Pool Identity. The reports say the timestamp field in forged tickets has been set to 9999, creating effectively non‑expiring tickets, and that activity has originated from IP address 147.124.216.205. The intrusion attempts also tried to chain a previously disclosed flaw (CVE‑2025‑11371) to extract the machine key from web.config and perform ViewState deserialization for remote code execution; Huntress said the attackers attempted deserialization and then a retrieval of execution output, which failed.
In response to the active exploitation, organisations running CentreStack and Triofox are urged to update to the latest released build, 16.12.10420.56791, which was published on Dec. 8, 2025, according to the vendor release notes cited in the advisory.
Huntress recommended scanning logs for the string “vghpI7EToZUDIZDdprSubL3mTZ2,” which is the encrypted representation of the web.config path observed in the attacks. If indicators of compromise are found, administrators should rotate the machine key and follow vendor guidance; CentreStack provides a documented procedure for generating new machine keys and applying them across worker nodes and restarting IIS, following that guidance.
Organisations using these products are advised to monitor logs for related indicators, apply the vendor updates and key rotations where needed, and review incident response plans.