Hard-Coded Keys Leave Organizations Vulnerable to Devastating Attacks
A critical vulnerability in Gladinet's CentreStack and Triofox products has been discovered, exposing a shocking weakness in their security architecture. The issue lies in the use of hard-coded cryptographic keys, which, if exploited, can grant unauthorized access to sensitive files and enable remote code execution. This is a hacker's dream come true, and it's already affecting organizations in healthcare and technology sectors.
The function 'GenerateSecKey()' in 'GladCtrl64.dll' is the culprit. It generates cryptographic keys to encrypt access tickets with user credentials. But here's the catch: it always returns the same 100-byte text strings. This means the keys are static and can be used to decrypt any ticket or even create new ones. And this is the part most people miss: it allows attackers to access files like web.config, which can then be exploited for remote code execution via ViewState deserialization.
The attack is simple yet effective. Threat actors craft special URL requests to the vulnerable endpoint, leaving the Username and Password fields blank and setting an eternal timestamp. This grants them indefinite access to the server configuration. And they're not wasting any time; nine organizations have already fallen victim to this exploit.
The controversy? This vulnerability has been chained with a previously disclosed flaw (CVE-2025-11371) to devastating effect. The attackers are relentless, attempting to access the machine key from the web.config file. While their viewstate deserialization attack failed to retrieve the execution output, the potential for disaster is clear.
Organizations using CentreStack and Triofox must take immediate action. Updating to the latest version (16.12.10420.56791) is crucial, along with scanning logs for the encrypted web.config file path. In the event of a breach, rotating the machine key is essential to mitigate further damage.
This incident highlights the dangers of hard-coded keys and the importance of proactive security measures. Are these steps enough to ensure organizations are protected from future attacks? Share your thoughts in the comments below!
