Active Exploits Target Gladinet CentreStack and Triofox Using Hard-Coded Keys
Executive Summary
In December 2025, Gladinet's CentreStack and Triofox platforms were found to contain a critical vulnerability (CVE-2025-14611) arising from hard-coded cryptographic keys. Threat actors exploited this flaw by crafting malicious access tickets, allowing them to decrypt sensitive files—including the web.config file—and ultimately achieve remote code execution through ViewState deserialization. At least nine organizations across healthcare and technology were compromised, with attackers chaining this vulnerability with previously known flaws for greater impact. The attack flow highlights attackers' in-depth knowledge of Gladinet’s codebase and past vulnerabilities.
This incident underscores the growing risks from supply chain software flaws and repeated exploitation of insecure cryptography in enterprise products. The rapid addition of this CVE to CISA’s Known Exploited Vulnerabilities catalog reflects intensifying regulatory scrutiny and a pressing need for organizations to identify and remediate insecure authentication mechanisms promptly.
Why This Matters Now
Gladinet’s flaw is being actively exploited with real-world impact, targeting sectors critical to operations and data integrity. The vulnerability’s trivial exploitation path, hard-coded keys, and public exposure means adversaries can gain persistent and repeatable access unless organizations urgently patch and rotate keys—especially with regulatory deadlines looming.
Attack Path Analysis
The attacker leveraged a hard-coded cryptographic key vulnerability (CVE-2025-14611) in Gladinet’s CentreStack and Triofox public endpoints to forge access tickets and access sensitive files without authentication. By retrieving the machine key from web.config, the attacker enabled ViewState deserialization and achieved remote code execution as the application pool identity. Although attempts to retrieve execution output failed, the adversary likely attempted further movement or persistence. Malicious activity originated from a known IP, and attackers used crafted URLs for repeated unauthorized access. The attack could have been constrained or detected by network segmentation, strict egress, and anomaly detection controls.
Kill Chain Progression
Initial Compromise
Description
Attacker exploited a public-facing vulnerability using a hard-coded cryptographic key to decrypt or forge access tickets, gaining unauthorized access to the targeted application endpoint.
Related CVEs
CVE-2025-14611
CVSS 9.8Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 use hardcoded AES cryptographic keys, allowing unauthenticated attackers to perform arbitrary local file inclusion, potentially leading to full system compromise.
Affected Products:
Gladinet CentreStack – < 16.12.10420.56791
Gladinet Triofox – < 16.12.10420.56791
Exploit Status:
exploited in the wildCVE-2025-11371
CVSS 6.2An unauthenticated local file inclusion vulnerability in Gladinet CentreStack and Triofox allows attackers to retrieve machine keys from the Web.config file, enabling remote code execution.
Affected Products:
Gladinet CentreStack – < 16.4.10315.56368
Gladinet Triofox – < 16.4.10317.56372
Exploit Status:
exploited in the wildReferences:
https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerabilityhttps://www.aha.org/h-isac-white-reports/2025-10-10-h-isac-tlp-white-vulnerability-bulletin-active-exploitation-gladinet-centrestack-and-triofoxhttps://www.techradar.com/pro/security/file-sharing-flaw-prompts-dangerous-cyberattacks-and-theres-no-patchCVE-2025-30406
CVSS 7.1Hardcoded cryptographic keys in Gladinet CentreStack and Triofox allow attackers to perform remote code execution via ASP.NET ViewState deserialization.
Affected Products:
Gladinet CentreStack – < 16.4.10315.56368
Gladinet Triofox – < 16.4.10317.56372
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Unsecured Credentials
Hijack Execution Flow: Component Object Model Hijacking
Exploitation of Remote Services
Create Account
Network Sniffing
Exploit Public-Facing Application
Command and Scripting Interpreter: JavaScript
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Cryptographic Key Management
Control ID: 3.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 9(2)(a)
CISA ZTMM 2.0 – Identity Integrity — Key Management
Control ID: Identity and Access Management: Key Management
NIS2 Directive – Security of Network and Information Systems — Encryption
Control ID: Article 21(2)(d)
ISO/IEC 27001:2022 – Cryptographic Controls
Control ID: A.8.24
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Healthcare organizations using CentreStack/Triofox for patient data storage face critical remote code execution risks, violating HIPAA compliance requirements and exposing sensitive medical records.
Information Technology/IT
IT service providers managing client infrastructure through Gladinet products risk widespread remote code execution attacks, potentially compromising multiple customer environments and business operations.
Financial Services
Financial institutions using affected file sharing solutions face unauthorized access to sensitive financial data through hard-coded cryptographic keys, threatening regulatory compliance and customer trust.
Government Administration
Government agencies utilizing CentreStack/Triofox systems risk remote code execution attacks on critical infrastructure, with CISA mandating federal remediation by January 5, 2026.
Sources
- Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Executionhttps://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.htmlVerified
- Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerabilityhttps://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerabilityVerified
- CISA's Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- NVD - CVE-2025-14611https://nvd.nist.gov/vuln/detail/CVE-2025-14611Verified
- Vulnerability Bulletin: Active Exploitation of Gladinet CentreStack and TrioFox Products (CVE-2025-11371)https://www.aha.org/h-isac-white-reports/2025-10-10-h-isac-tlp-white-vulnerability-bulletin-active-exploitation-gladinet-centrestack-and-triofoxVerified
- Experts warn Gladinet file sharing tool flaw prompts dangerous cyberattacks - and there's no patchhttps://www.techradar.com/pro/security/file-sharing-flaw-prompts-dangerous-cyberattacks-and-theres-no-patchVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls—such as workload segmentation, traffic visibility, runtime threat detection, and strict egress enforcement—could have detected, contained, or prevented multiple phases of this attack by limiting unauthorized east-west and outbound connections, enforcing policy on application endpoints, and rapidly alerting on exploit patterns.
Control: Inline IPS (Suricata)
Mitigation: Exploit patterns and attack signatures would be detected and blocked at the perimeter.
Control: Zero Trust Segmentation
Mitigation: Access to critical assets like web.config from untrusted zones would be restricted.
Control: East-West Traffic Security
Mitigation: Unauthorized lateral movement attempts would be detected and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 and data flows can be restricted to only approved destinations.
Control: Multicloud Visibility & Control
Mitigation: Anomalous file transfers and data exfiltration attempts would be alerted and could be blocked.
Rapid detection, alerting, and containment of post-exploitation activities.
Impact at a Glance
Affected Business Functions
- File Sharing
- Remote Access
- Data Storage
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive configuration files, including machine keys, leading to unauthorized access and possible data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and strict east-west policies to prevent lateral movement and unauthorized resource access.
- • Deploy Inline IPS and deep packet inspection at internet-facing and internal application endpoints to detect and block exploitation attempts of known and emerging vulnerabilities.
- • Apply strong egress filtering to block unauthorized outbound traffic, C2 callbacks, and potential exfiltration channels, especially from application pool identities or service accounts.
- • Utilize threat detection and anomaly response solutions that baseline normal behavior and quickly alert on suspicious remote access or deserialization activities.
- • Ensure rapid patch management and configuration hardening for exposed cloud workloads and 3rd-party SaaS, coupled with automated visibility and centralized incident correlation across environments.
