VTA-004547 – Active Attacks Target Weak Cryptography in Gladinet File-Access Products

Huntress has uncovered active exploitation of a critical flaw in Gladinet’s CentreStack and Triofox file-sharing platforms, where hardcoded cryptographic keys enable attackers to forge access tickets and steal sensitive server files like web.config. This vulnerability, lacking a CVE identifier yet, has hit nine organizations across healthcare and tech sectors with attacks originating from IP 147.124.216.205.

The flaw stems from Gladinet’s custom AES-256 encryption in the filesvr.dn HTTP handler, which processes a Base64-encoded “t” parameter as an access ticket containing filepath, username, password and timestamp. Normally, keys derive dynamically from GladCtrl64.dll’s GenerateSecKey function, but it always returns fixed strings, Chinese text for the 32-byte AES key and Japanese marketing text for the 16-byte IV making them trivially extractable and reusable. Attackers craft never-expiring tickets (e.g., timestamp set to year 9999) with blank credentials, forcing fallback to IIS Application Pool Identity for unauthorized file access, such as web.config’s machine keys.

What sets this apart from typical crypto weaknesses or file disclosure bugs is its seamless chaining with prior Gladinet flaws like CVE-2025-11371 (LFI) and CVE-2025-30406 (ViewState deserialization). Attackers first probe with CVE-2025-11371, then forge tickets here to grab machine keys, enabling RCE via deserialized payloads forming an orchestrated workflow hinting at a knowledgeable actor deeply familiar with the product’s history. Unlike random key leaks or weak RNGs, this static DLL output allows indefinite ticket forgery without server interaction, amplifying persistence in enterprise file servers.​

Severity:
Medium

Attack Surface:
File Storage, Infrastructure

Tactics:
Collection, Credential Access, Defense Evasion, Discovery, Execution, Impact, Privilege Escalation

Techniques:
T1190 – Exploit Public-Facing Application
T1550 – Use of Forged Authentication Tokens
T1059 – Command Execution
T1600 – Exploit Weak Cryptography
T1134 – Access Token Manipulation
T1203 – Exploitation for Privilege Escalation

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/693b9669f7aeaef31fe5aa7e

References:
1. https://www.huntress.com/blog/active-exploitation-gladinet-centrestack-triofox-insecure-cryptography-vulnerability

SuperPRO’s Threat Countermeasures Procedures:
1.Upgrade CentreStack or TrioFox to the latest patched build released after November 2025. Apply all updates from Gladinet Security Update Bulletin for insecure cryptography fixes and RCE mitigation via ViewState hardening
2.Regenerate machine Key values in web.config, CentreStack/TrioFox AccessTicket encryption keys and any affected shared secret keys in distributed nodes. Use AES-256 GCM or similar modern encryption where supported.
3.Modify ASP.NET settings on affected hosts. Also disable ViewStateUserKey auto-signing bypass features. Block unsigned ViewState submissions using WAF/NGINX/Apache rules.
4.Lock down CentreStack/TrioFox admin APIs using IP allowlisting, MFA (TOTP or FIDO2 preferred), VPN or Zero Trust access only and disable remote admin access on public interfaces.
5.Update Windows Server to Server 2019:KB5037765 or later and Server 2022:KB5037754 or later. Remove .NET Framework 3.5 unless required. Enable Credential Guard, exploit Protection (block unsigned code, remote injections) and appLocker for C:\Program Files\Gladinet\ whitelisting
6.Add WAF signatures to block suspicious ViewState strings beginning with dDwt, Overly long __VIEWSTATE and __EVENTVALIDATION parameters, repeated GET /portal/portal_login.ashx calls and forged tickets= parameters in requests
7. Rotate Administrator Passwords & Credentials. Reset all CentreStack admin passwords, all TrioFox admin accounts and service accounts connecting to LDAP, SQL Server and storage backends.

Contributed by: Thivya