In December 2025, Security researchers have sounded the alarm on an actively exploited vulnerability in Gladinet’s CentreStack and Triofox file‑sharing and remote access products. The flaw stems from hard‑coded cryptographic keys embedded in the software’s configuration, a serious design flaw that allows attackers to forge access tokens, decrypt sensitive files, and even trigger remote code execution (RCE) on affected servers.
At least nine organizations across industries, including healthcare and technology, have already been compromised by this attack chain, and exploitation has occurred in the wild through crafted HTTP requests targeting the file server component.
What Happened?
Gladinet CentreStack and its enterprise file‑sharing counterpart, Triofox, are widely deployed by companies needing secure, remote access to files and collaboration tools. However, researchers from Huntress discovered that the products used static, hard‑coded machineKey values in their configuration files that are intended to secure ASP.NET ViewState, a mechanism for maintaining state across web requests.
Because these machineKey values were identical across installations and never dynamically generated, attackers could:
- Decrypt or forge ViewState data, removing cryptographic integrity protections.
- Access sensitive server files like web.config without valid credentials.
- Obtain machineKey values directly from configuration.
- Craft malicious ViewState payloads that ASP.NET deserializes as trusted data, leading to remote code execution on the server process.
In practice, adversaries sent specially crafted URL requests to endpoints such as /storage/filesvr.dn where the hard‑coded keys allowed them to bypass normal access controls and retrieve protected files. In some cases the access ticket issued by the server contained a timestamp set to “9999,” effectively creating a ticket that never expires and can be reused indefinitely for exploitation.
How It Happened
At the core of the issue is the GenerateSecKey() function within GladCtrl64.dll, which returns the same predictable 100‑byte text strings for every installation. These strings are used to derive the cryptographic keys that sign and encrypt access tickets. Because they never change, threat actors can leverage them to:
- Decrypt access tickets and access protected server resources.
- Reverse‑engineer or predict token values.
- Forge malicious tickets that the server will accept.
- Trigger ViewState deserialization attacks using the known keys.
Attack campaigns first surfaced when threat actors combined this flaw with previously disclosed vulnerabilities, including an earlier hard‑coded key issue (CVE‑2025‑30406) that also enabled RCE, to obtain the necessary machineKey from web.config.
The attack chain begins with specially crafted HTTP requests that break normal authentication by exploiting the predictable keying material, granting unauthorized access to system configuration files. Once the machineKey is known, attackers can leverage serialization/deserialization mechanisms in ASP.NET to execute arbitrary code on the server.
What Was at Risk
The exploitation of hard‑coded keys in CentreStack and Triofox opened the door to several high‑impact outcomes:
- Unauthorized file access – Attackers could read confidential files, including configuration and user data, without valid logins.
- Remote code execution – By using serialized payloads, adversaries could execute arbitrary code on affected servers, potentially installing malware, backdoors, or pivot tools.
- Persistent compromise – Because access tickets could be crafted to never expire, a foothold once gained could be used again and again.
- Lateral movement – From a compromised file server, attackers could escalate within networks or explore other hosts.
- Widespread impact – Attack campaigns have affected at least nine organizations so far, and additional exploitation is ongoing.
Recommendations
In light of active exploitation, Gladinet has released updates that address the underlying vulnerability:
- Scan logs for known indicators of compromise, such as repeated requests containing encrypted representations of sensitive file paths (e.g., “vghpI7EToZUDIZDdprSubL3mTZ2…”).
- Rotate machineKey values in existing installations by backing up web.config, generating new machineKey entries via IIS Manager, and restarting the application services.
- Apply all vendor patches immediately and verifying that no outdated configurations or legacy keys remain.
How NHI Mgmt Group Can Help
Incidents like this underscore a critical truth, Non-Human Identities (NHIs) are now at the center of modern cyber risk. OAuth tokens, AWS credentials, service accounts, and AI-driven integrations act as trusted entities inside your environment, yet they’re often the weakest link when it comes to visibility and control.
At NHI Mgmt Group, we specialize in helping organizations understand, secure, and govern their non-human identities across cloud, SaaS, and hybrid environments. Our advisory services are grounded in a risk-based methodology that drives measurable improvements in security, operational alignment, and long-term program sustainability.
We also offer the NHI Foundation Level Training Course, the world’s first structured course dedicated to Non-Human Identity Security. This course gives you the knowledge to detect, prevent, and mitigate NHI risks.
If your organization uses third-party integrations, AI agents, or machine credentials, this training isn’t optional; it’s essential.
Final Thoughts
The Gladinet incident is a stark reminder that hard‑coded cryptographic keys and default secrets are among the most dangerous security weaknesses. When the same key is used across installations, attackers can precompute exploits that work universally, effectively dissolving cryptographic integrity protections and turning benign features into attack vectors.
Additionally, combining multiple vulnerabilities, such as a local file inclusion bug with predictable key material, can amplify risk far beyond what developers intended. These kinds of chained exploits enable remote code execution using widely understood ASP.NET deserialization techniques, giving attackers disproportionate leverage against enterprise systems with internet‑accessible file servers.
