Gladinet's CentreStack and Triofox products contain a critical security vulnerability stemming from the use of hard-coded cryptographic keys within the GenerateSecKey() function located in GladCtrl64.dll. This function generates static 100-byte strings used to derive cryptographic keys for encrypting access tickets that contain authorization data such as usernames and passwords. Because these keys never change, attackers can decrypt any server-generated ticket or forge their own, enabling unauthorized access to the file system. Specifically, attackers exploit this to access the web.config file, which contains sensitive configuration data including the machine key used for ASP.NET ViewState encryption. By obtaining the machine key, attackers can perform ViewState deserialization attacks leading to remote code execution (RCE). The attack vector involves sending specially crafted HTTP requests to the /storage/filesvr.dn endpoint with manipulated access tickets that have blank username and password fields, causing the system to revert to the IIS Application Pool Identity. Additionally, the timestamp in these tickets is set to an abnormally high value (9999), effectively creating tickets that never expire and allowing indefinite reuse. This vulnerability has been actively exploited against at least nine organizations across various sectors such as healthcare and technology. The attacks also chain with a previously disclosed vulnerability (CVE-2025-11371) to extract the machine key from the web.config file. The vendor has released a patched version (16.12.10420.56791) on December 8, 2025, and recommends scanning logs for specific encrypted strings indicative of exploitation attempts. Remediation includes updating software, rotating machine keys via IIS Manager, and restarting IIS services across all worker nodes.

For European organizations, this vulnerability poses a severe risk of unauthorized access to critical configuration files and potential full system compromise via remote code execution. Healthcare and technology sectors are particularly vulnerable due to their frequent use of CentreStack and Triofox for cloud storage and file sharing. Exploitation could lead to exposure of sensitive patient data, intellectual property theft, disruption of services, and regulatory non-compliance under GDPR. The persistent nature of the forged tickets allows attackers prolonged access, increasing the risk of data exfiltration and lateral movement within networks. The fallback to IIS Application Pool Identity may grant elevated privileges, further exacerbating the impact. Given the active exploitation and the ability to chain with other vulnerabilities, affected organizations face operational, reputational, and financial damages. Incident response and forensic investigations may be complicated by the stealthy nature of the attack vector. Organizations relying on these products for critical infrastructure or cloud services in Europe must prioritize mitigation to prevent severe breaches.

European organizations should immediately upgrade CentreStack and Triofox to version 16.12.10420.56791 or later to patch the vulnerability. They must scan server logs for the presence of the encrypted string 'vghpI7EToZUDIZDdprSubL3mTZ2' to detect potential exploitation attempts. If indicators of compromise are found, rotate the machine key in the web.config file by using IIS Manager: navigate to Sites -> Default Web Site, open the ASP.NET Machine Key section, generate new keys, apply changes, and restart IIS services on all worker nodes. Conduct a thorough audit of access logs and network traffic to identify unauthorized access or lateral movement. Implement strict network segmentation and monitor for unusual requests to the /storage/filesvr.dn endpoint. Disable or restrict access to unnecessary endpoints and enforce least privilege for IIS Application Pool identities. Employ application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block malformed requests targeting this vulnerability. Regularly review and update cryptographic key management policies to avoid hard-coded keys in future deployments. Engage in proactive threat hunting for signs of ViewState deserialization attacks and ensure incident response teams are prepared for rapid containment.