Huntress warns of a new wave of attacks targeting Gladinet CentreStack instances to retrieve cryptographic keys and achieve remote code execution.
As part of the attacks, hackers have exploited a new vulnerability in the mobile access and secure sharing solution, the cybersecurity firm says.
The exploited bug, Huntress says, is an insecure cryptography issue that allows attackers to access the ‘web. config’ file, which contains a ‘machineKey’ cryptographic key.
Huntress’s analysis of the attacks revealed that the hackers have been abusing the fact that CentreStack relies on the same two 100-byte strings to derive the cryptographic keys.
According to the cybersecurity firm, an attacker that can retrieve this cryptographic information can also use it for future encryption/decryption operations, thus compromising the instance.
“Because these keys never change, we could extract them from memory once and use them to decrypt any ticket generated by the server or worse, encrypt our own,” Huntress notes.
Using the two strings, any attacker could craft requests to obtain the machine keys from the ‘web. config’ file, and the system would trust those requests.
Next, armed with the machine keys, the attacker can abuse the ASPX ViewState mechanism in deserialization attacks by forging ViewState payloads and achieving remote code execution.
The ViewState deserialization issue has been exploited this year in attacks targeting two other CentreStack vulnerabilities, namely CVE-2025-30406 and CVE-2025-11371.
Huntress also discovered that the attackers crafted their malicious requests to create a ticket that never expires, which essentially allows them to reuse the same URL indefinitely to retrieve the configuration file.
“As of December 10, we have seen nine organizations that have been impacted by this vulnerability. These businesses ranged across different sectors, from healthcare to technology,” Huntress notes.
No CVE identifier has been published for the flaw and Gladinet has not shared details on it. However, the company notified its customers in late November of a security issue resolved with a new CentreStack update (version 16.11.10417.56762).
Organizations are advised to update to the latest version of CentreStack and Triofox, namely version 16.12.10420.56791, which was released on December 10, and to review the indicators of compromise (IoCs) released by Huntress and Gladinet.
Related: Recent GeoServer Vulnerability Exploited in Attacks
Related: Unpatched Gogs Zero-Day Exploited for Months
Related: Critical King Addons Vulnerability Exploited to Hack WordPress Sites
Related: Microsoft Silently Mitigated Exploited LNK Vulnerability
