CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and Triofox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw affects nine organizations so far. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

Timeline

  1. 11.12.2025 23:49 1 articles · 23h ago

    Attackers exploit hard-coded cryptographic keys in Gladinet products

    The new cryptographic vulnerability in Gladinet's CentreStack and Triofox products stems from the custom implementation of the AES cryptographic algorithm, where the encryption key and Initialization Vector (IV) were hardcoded inside the GladCtrl64.dll file and could be easily obtained. The flaw lies in the processing of the 'filesvr.dn' handler, which decrypts the 't' parameter (Access Ticket) using those static keys. The attackers forged Access Tickets using hardcoded AES keys and setting the timestamp to year 9999, so the ticket never expires. The attackers requested the server’s web.config file, which contains the machineKey, and used it to trigger remote code execution through a ViewState deserialization flaw. The attacking IP address observed in these attacks is 147.124.216[.]205. The flaw was detected by researchers at Huntress, who confirmed nine organizations as of December 10, 2025, from various sectors, including healthcare and technology.

    Show sources
    Open in new tab
  2. 11.12.2025 07:56 2 articles · 1d ago

    New vulnerability in Gladinet products due to hard-coded keys

    A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw has affected nine organizations across various sectors. The use of hard-coded cryptographic keys could allow threat actors to decrypt or forge access tickets, enabling them to access sensitive files like web.config that can be exploited to achieve ViewState deserialization and remote code execution. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration. The flaw lies in the custom implementation of the AES cryptographic algorithm, where the encryption key and Initialization Vector (IV) were hardcoded inside the GladCtrl64.dll file. The attackers have been observed forging Access Tickets using these hardcoded keys and setting the timestamp to year 9999, making the tickets never expire. This allows them to request the server’s web.config file, which contains the machineKey, and use it to trigger remote code execution through a ViewState deserialization flaw. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

    Show sources
    Open in new tab
  3. 10.11.2025 22:49 3 articles · 1mo ago

    UNC6485 exploits CVE-2025-12480 to deploy remote access tools

    The threat cluster tracked as UNC6485 has been exploiting the critical vulnerability CVE-2025-12480 in Gladinet's Triofox platform since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers. They have also leveraged remote access tools like Zoho Assist and AnyDesk for further exploitation, including reconnaissance and privilege escalation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw has affected nine organizations across various sectors. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration.

    Show sources
    Open in new tab
  4. 16.10.2025 18:11 4 articles · 1mo ago

    Gladinet releases patch for CVE-2025-11371

    A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. Additionally, users are advised to update to the latest version of Triofox to address the newly discovered CVE-2025-12480 vulnerability, audit admin accounts, and verify that Triofox's antivirus engine is not configured to execute unauthorized scripts or binaries. Organizations using CentreStack and Triofox are advised to update to the latest version, 16.12.10420.56791, released on December 8, 2025, and scan logs for the presence of the string "vghpI7EToZUDIZDdprSubL3mTZ2," which is the encrypted representation of the web.config file path. In the event of indicators of compromise (IoCs), it is imperative to rotate the machine key by generating new keys in the IIS Manager and restarting IIS after repeating the same step for all worker nodes.

    Show sources
    Open in new tab
  5. 10.10.2025 12:34 7 articles · 2mo ago

    Active Exploitation of CVE-2025-11371 in Gladinet and TrioFox

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. The flaw was detected by Huntress in September 2025 and has been actively exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. A new actively exploited vulnerability in Gladinet's CentreStack and Triofox products has been disclosed, stemming from the use of hard-coded cryptographic keys. This flaw has affected nine organizations across various sectors. The attacks involve specially crafted URL requests to the "/storage/filesvr.dn" endpoint, with the Username and Password fields left blank, causing the application to fall back to the IIS Application Pool Identity. The timestamp field in the access ticket is set to 9999, creating a ticket that never expires, allowing threat actors to reuse the URL indefinitely to download the server configuration.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Sneeit WordPress RCE Exploited in Active Attacks

A critical remote code execution (RCE) vulnerability (CVE-2025-6389) in the Sneeit Framework plugin for WordPress is being actively exploited in the wild. The flaw, affecting versions up to 8.3, allows unauthenticated attackers to execute arbitrary PHP functions, including creating malicious administrator accounts and injecting backdoors. Exploitation began on November 24, 2025, with over 131,000 attack attempts blocked by Wordfence. Additionally, a critical flaw in ICTBroadcast (CVE-2025-2611) is being exploited to deliver the Frost DDoS botnet. The botnet uses multiple exploits to spread and conduct targeted DDoS attacks, with evidence pointing to a small, targeted operation.

Open in new tab

Critical React Server Components (RSC) Bugs Enable Unauthenticated Remote Code Execution

A critical security vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components (RSC) allows unauthenticated remote code execution due to unsafe deserialization of payloads. The flaw affects multiple versions of React and Next.js, potentially impacting any application using RSC. The issue has been patched, but 39% of cloud environments remain vulnerable. Cloudflare experienced a widespread outage due to an emergency patch for this vulnerability, and multiple China-linked hacking groups have begun exploiting it. NHS England National CSOC has warned of the likelihood of continued exploitation in the wild. Major companies such as Google Cloud, AWS, and Cloudflare immediately responded to the vulnerability. The security researcher Lachlan Davidson disclosed the vulnerability on November 29, 2025, to the Meta team. The flaw has been dubbed React2Shell, a nod to the Log4Shell vulnerability discovered in 2021. The US National Vulnerability Database (NVD) rejected CVE-2025-66478 as a duplicate of CVE-2025-55182. Exploitation success rate is reported to be nearly 100% in default configurations. React servers that use React Server Function endpoints are known to be vulnerable. The Next.js web application is also vulnerable in its default configuration. At the time of writing, it is unknown if active exploitation has occurred, but there have been some reports of observed exploitation activity as of December 5, 2026. OX Security warned that the flaw is now actively exploitable on December 5, around 10am GMT. Hacker maple3142 published a working PoC, and OX Security successfully verified it. JFrog identified fake proof-of-concepts (PoC) on GitHub, warning security teams to verify sources before testing. Cloudflare started investigating issues on December 5 at 08:56 UTC, and a fix was rolled out within half an hour, but by that time outages had been reported by several major internet services, including Zoom, LinkedIn, Coinbase, DoorDash, and Canva. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on December 6, 2025, following confirmed active exploitation. The vulnerability is tracked as React2Shell and is related to a remote code execution flaw in React Server Components (RSC). The flaw is due to insecure deserialization in the Flight protocol used by React to communicate between a server and client. The vulnerability affects versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Patched versions of React are 19.0.1, 19.1.2, and 19.2.1. Downstream frameworks impacted include Next.js, React Router, Waku, Parcel, Vite, and RedwoodSDK. Amazon reported attack attempts from Chinese hacking groups like Earth Lamia and Jackpot Panda within hours of public disclosure. Coalition, Fastly, GreyNoise, VulnCheck, and Wiz reported seeing exploitation efforts targeting the flaw. Some attacks involved the deployment of cryptocurrency miners and the execution of "cheap math" PowerShell commands. Censys identified about 2.15 million instances of internet-facing services potentially affected by the vulnerability. Palo Alto Networks Unit 42 confirmed over 30 affected organizations across numerous sectors, with activity consistent with Chinese hacking group UNC5174. Security researcher Lachlan Davidson released multiple proof-of-concept (PoC) exploits for the vulnerability. Another working PoC was published by a Taiwanese researcher with the GitHub handle maple3142. Federal Civilian Executive Branch (FCEB) agencies have until December 26, 2025, to apply the necessary updates to secure their networks. Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182). Researchers have confirmed that attackers have already compromised over 30 organizations across multiple sectors using the React2Shell flaw. Shadowserver detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States. GreyNoise recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. Attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw. Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory. One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads. The PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network. Amazon AWS threat intelligence teams saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda. Palo Alto Networks observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security. The deployed malware in these attacks includes Snowlight and Vshell, both commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network. Earth Lamia is known for exploiting web application vulnerabilities to target organizations across Latin America, the Middle East, and Southeast Asia. Earth Lamia has historically targeted sectors across financial services, logistics, retail, IT companies, universities, and government organizations. Jackpot Panda primarily targets entities in East and Southeast Asia. The Shadowserver Foundation has identified over 77,000 vulnerable IPs following a scan of exposed HTTP services across a wide variety of exposed edge devices and other applications. Censys observed just over 2.15 million instances of internet-facing services that may be affected by this vulnerability, including exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK. The bug is a pre-authentication remote code execution (RCE) vulnerability which exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. React issued a security advisory with the relevant patches and updates on December 3. Any internet-accessible server running the affected React Server Components code should be assumed vulnerable until updated as a precaution. AWS observed that many threat actors are attempting to use public PoCs that don’t work in real-world scenarios. AWS noted that the use of these PoCs shows that threat actors prioritize rapid operationalization over thorough testing, attempting to exploit targets with any available tool. Using multiple PoCs to scan for vulnerable environments also gives threat actors a higher chance of identifying vulnerable configurations, even if the PoCs are non-functional. The availability of the PoCs also allows less sophisticated actors to participate in exploitation campaigns. Finally, AWS noted that even failed exploitation attempts create significant noise in logs, potentially masking more sophisticated attacks. The invalid PoCs can give developers a false sense of security when testing for React2Shell. The Shadowserver Foundation detected 28,964 IP addresses vulnerable to the React2Shell flaw as of December 7, 2025, down from 77,664 on December 5, with approximately 10,100 located in the U.S., 3,200 in Germany, and 1,690 in China. Huntress observed attackers targeting numerous organizations via CVE-2025-55182, with a focus on the construction and entertainment industries. The first recorded exploitation attempt on a Windows endpoint by Huntress dates back to December 4, 2025, when an unknown threat actor exploited a vulnerable instance of Next.js to drop a shell script, followed by commands to drop a cryptocurrency miner and a Linux backdoor. Attackers were observed launching discovery commands and attempting to download several payloads from a command-and-control (C2) server. Huntress identified a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant referred to as ZinFoq. PeerBlight shares code overlaps with two malware families RotaJakiro and Pink that came to light in 2021, installs a systemd service to ensure persistence, and masquerades as a "ksoftirqd" daemon process to evade detection. CowTunnel initiates an outbound connection to attacker-controlled Fast Reverse Proxy (FRP) servers, effectively bypassing firewalls that are configured to only monitor inbound connections. ZinFoq implements a post-exploitation framework with interactive shell, file operations, network pivoting, and timestomping capabilities. Huntress assessed that the threat actor is likely leveraging automated exploitation tooling, supported by the attempts to deploy Linux-specific payloads on Windows endpoints, indicating the automation does not differentiate between target operating systems. PeerBlight supports capabilities to establish communications with a hard-coded C2 server ("185.247.224[.]41:8443"), allowing it to upload/download/delete files, spawn a reverse shell, modify file permissions, run arbitrary binaries, and update itself. ZinFoq beacons out to its C2 server and is equipped to parse incoming instructions to run commands using "/bin/bash," enumerate directories, read or delete files, download more payloads from a specified URL, exfiltrate files and system information, start/stop SOCKS5 proxy, enable/disable TCP port forwarding, alter file access and modification times, and establish a reverse pseudo terminal (PTY) shell connection. ZinFoq takes steps to clear bash history and disguises itself as one of 44 legitimate Linux system services to conceal its presence.

Open in new tab

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Critical SCIM Flaw in Grafana Enables Privilege Escalation and Impersonation

Grafana has patched a critical vulnerability (CVE-2025-41115) in its SCIM component, which could allow privilege escalation or user impersonation. The flaw affects Grafana Enterprise versions 12.0.0 to 12.2.1 and was discovered internally on November 4, 2025. The vulnerability is exploitable only if specific SCIM-related configurations are enabled. Grafana OSS users are not impacted, and Grafana Cloud services have already received the patches. The flaw was discovered during internal auditing, and a security update was introduced roughly 24 hours later, with the public release following on November 19, 2025.

Open in new tab

Active Exploitation of 7-Zip Symbolic Link RCE Vulnerability (CVE-2025-11001)

Hackers are actively exploiting a symbolic link-based remote code execution vulnerability (CVE-2025-11001) in 7-Zip, which affects the handling of ZIP files and allows directory traversal. The flaw was patched in version 25.00 released in July 2025. NHS England has observed active exploitation of this vulnerability in the wild. The vulnerability is specific to Windows systems and requires elevated privileges or developer mode to be exploited.

Open in new tab