Hackers Exploit Gladinet CentreStack Flaw for RCE Attacks
▼ Summary
– Hackers are exploiting a new, undocumented cryptographic vulnerability in Gladinet’s CentreStack and Triofox products to steal hardcoded keys and achieve remote code execution.
– The flaw stems from a custom AES implementation where static encryption keys, derived from identical text strings across all installations, are embedded in a software file.
– Attackers can use these keys to decrypt or forge “Access Tickets,” impersonate users, and access any file on the server, including critical configuration files.
– Researchers have confirmed at least nine organizations from sectors like healthcare and technology have been targeted in attacks combining this new flaw with an older one.
– Gladinet has released a patched version, and users are urged to upgrade immediately, rotate machine keys, and scan logs for a specific string to check for compromise.
A critical security flaw in Gladinet’s CentreStack and Triofox file-sharing platforms is being actively exploited by hackers, enabling them to execute remote code on vulnerable systems. The vulnerability stems from a custom implementation of the AES cryptographic algorithm where the encryption keys were found to be hardcoded and identical across all installations. This allows attackers to forge authentication tickets and ultimately gain complete control over affected servers.
Security researchers at Huntress have identified active exploitation targeting at least nine organizations across sectors like healthcare and technology. The attackers are combining this new cryptographic weakness with a previously known local file inclusion flaw, tracked as CVE-2025-30406, to escalate their access. By extracting the static keys from memory, threat actors can decrypt sensitive “Access Tickets” that contain file paths, usernames, and passwords, or create their own fraudulent tickets.
The core of the issue lies within the `GladCtrl64.dll` file. Here, the encryption key and Initialization Vector (IV) are derived from two unchangeable 100-byte strings of text. Because these keys are universal and static, anyone who obtains them can decrypt any ticket generated by the server. Researchers observed attackers forging tickets with timestamps set to the year 9999, ensuring they never expire. Subsequently, they used these tickets to request the server’s `web.config` file, which contains the machineKey.
Possession of the machineKey allowed the hackers to exploit a ViewState deserialization flaw, a technique that ultimately grants remote code execution capabilities. This means attackers can run arbitrary commands on the compromised server, accessing or manipulating any data on the disk. The exploitation activity has been linked to an attacking IP address, but no specific threat actor group has been formally attributed to the campaign.
Gladinet has notified its customers about the issue, urging immediate action. The company released an updated version to address the vulnerability. Users are strongly advised to upgrade to version 16.12.10420.56791 or later without delay. Additionally, it is crucial to rotate all machine keys on the affected systems to invalidate any credentials that may have been stolen or forged by attackers.
For defenders, Huntress has provided detailed indicators of compromise. Organizations should scan their system logs for the specific string `vghpI7EToZUDIZDdprSubL3mTZ2`, which is associated with the encrypted file path manipulation and is considered a reliable sign of a breach. Proactive monitoring and applying the provided patches are essential steps to secure environments against this ongoing threat.
(Source: Bleeping Computer)
