Vulnerability
Advisory/Mitigation
Exploitation Wave
Security Patch Release
Gladinet machine-key exploitation chain
Updated 11.12.2025 23:49
Case score 69
Score breakdown
- Total
- 69
- Lead score
- 64
- Support bonus
- +5 / 20
- Scoring support
- 2
- Context members
- 2
Top contributors
- Vulnerability Defines the hardcoded-key abuse path that lets attackers decrypt or forge access tickets and move toward remote code execution. base
- Advisory Mitigation Adds the temporary mitigation guidance to disable the temp handler in `UploadDownloadProxy/Web.config`. context
- Security Patch Release Supplies patch context for CVE-2025-11371 and the temporary handler workaround. context
- Vulnerability Shows the local file inclusion path that exposes `Web.config` and supplies the machine key used in the follow-on chain. support
Case score 69
Members 5
Latest activity 11.12.2025 23:49
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 9.8 Critical
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 9.8 Critical
Members 5
First seen 10.10.2025 12:34
Last seen 11.12.2025 23:49
Updated 11.12.2025 23:49
Overview
Attackers are exploiting **Gladinet CentreStack** and **Triofox** by abusing hardcoded AES keys and access-ticket handling to recover `Web.config`, steal the ASP.NET machine key, and reach **remote code execution**. Huntress said the activity had already targeted **at least nine organizations**, used crafted requests from `147.124.216[.]205`, and relied on `/storage/filesvr.dn` traffic to forge or decrypt tickets.
Gladinet released **CentreStack 16.10.10408.56683** for **CVE-2025-11371** and told administrators to install it. If upgrading is not possible, the temporary mitigation is to disable the temp handler in `UploadDownloadProxy/Web.config`, which can affect some platform functionality.
Attackers are exploiting **Gladinet CentreStack** and **Triofox** by abusing hardcoded AES keys and access-ticket handling to recover `Web.config`, steal the ASP.NET machine key, and reach **remote code execution**.
Huntress said the activity had already targeted **at least nine organizations**, used crafted requests from `147.124.216[.]205`, and relied on `/storage/filesvr.dn` traffic to forge or decrypt tickets. The same chain also depends on **CVE-2025-11371**, where a local file inclusion bug exposes `Web.config` and supplies the machine key needed for the follow-on exploit.
Gladinet released **CentreStack 16.10.10408.56683** for **CVE-2025-11371** and told administrators to install it. If upgrading is not possible, the temporary mitigation is to disable the temp handler in `UploadDownloadProxy/Web.config`, which can affect some platform functionality. For the hardcoded-key issue, Gladinet also pushed **version 16.12.10420.56791** and advised customers to rotate machine keys.
Available evidence does not quantify the full reach of the abuse, and it is not clear whether all targeted deployments were successfully executed or only probed. Defenders should treat exposed `Web.config` access, unexpected ticket requests, and the listed indicators as signs of active compromise. The response priority is to patch exposed systems, rotate machine keys, and investigate for access to the temp-download handler.