Active exploitation of Gladinet CentreStack and Triofox vulnerability

Threat summary

On December 10, 2025, researchers reported active exploitation of a new flaw in Gladinet’s CentreStack and Triofox platforms. This flaw was observed being used alongside CVE-2025-11371, another previously reported and exploited flaw. Gladinet released version 16.12.10420.56791 to address the new issue.

At the time of reporting, the newly disclosed vulnerability has not yet been assigned a CVE identifier or CVSS score. It arises from hardcoded Advanced Encryption Standard (AES) keys generated by the `GenerateSecKey()` function in GladCtrl64.dll. Because these keys are static and cannot be changed, a threat actor only needs to download the software and extract the keys once, after which the same values apply universally to all installations.

When the new flaw is combined with CVE‑2025‑11371—which allows unauthenticated access to sensitive files such as web.config, exposing machine keys—the hardcoded AES keys make it easy to decrypt those files and forge access tickets containing usernames and passwords.

Exploit attempts have been observed leaving the username and password fields blank, which causes the application to fall back to the IIS Application Pool Identity. This fallback provides a reliable execution context under the IIS worker process, allowing the exploit chain to progress into remote code execution and ultimately enable full compromise of the vulnerable server.

Researchers have not attributed exploitation to a specific threat actor, but indicated that exploitation is ongoing.

Insights & mitigations

Gladinet CentreStack and Triofox are enterprise file sharing and remote access solutions widely deployed by managed service providers and enterprises to support secure collaboration and remote workforce access. Vulnerable versions, particularly those with internet‑exposed servers, face the highest risk.

Organizations are advised to deploy Gladinet’s patched version 16.12.10420.56791 without delay. Restricting external exposure of CentreStack and Triofox servers, implementing network segmentation, and monitoring for anomalous activity such as unexpected PowerShell execution from IIS processes are recommended. There are no verified workarounds beyond patching and restricting exposure.

Field Effect MDR users will be alerted via ARO if vulnerable and/or internet‑exposed CentreStack/Triofox servers are detected in their environment. For an additional layer of defense, Field Effect MDR detects suspicious activity such as unauthorized access to web.config, abnormal IIS process behavior, or unexpected PowerShell execution. 

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up