Gladinet CentreStack and Triofox active exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
Active exploitation of Gladinet CentreStack and Triofox has affected at least nine organizations, creating risk of unauthorized access and follow-on remote code execution. Attack traffic has been observed from 147.124.216[.]205 using crafted requests to /storage/filesvr.dn and forged access tickets. The activity also appears to chain the new abuse with CVE-2025-11371 to reach web.config and obtain the machine key.
Cases
Related Happenings
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
Gladinet CentreStack and Triofox hardcoded AES keys RCE flaw
Vulnerability
First: 11.12.2025 23:49
Last: 11.12.2025 23:49
Sources 1
How related:
Hackers are exploiting a new, undocumented vulnerability in the implementation of the cryptographic algorithm present in Gladinet's CentreStack and Triofox products for secure remote file access and sharing.
About this happening:
A new **Gladinet CentreStack** and **Triofox** vulnerability in the products' custom AES implementation is being **actively exploited** to recover **hardcoded cryptographic keys**...
Gladinet CentreStack and Triofox hardcoded AES keys RCE flaw
VulnerabilityHow related: Hackers are exploiting a new, undocumented vulnerability in the implementation of the cryptographic algorithm present in Gladinet's CentreStack and Triofox products for secure remote file access and sharing.
About this happening: A new **Gladinet CentreStack** and **Triofox** vulnerability in the products' custom AES implementation is being **actively exploited** to recover **hardcoded cryptographic keys**...
Gladinet Triofox actively exploited improper access control flaw (CVE-2025-12480)
Vulnerability
First: 11.11.2025 14:30
Last: 11.11.2025 14:30
Sources 1
About this happening:
**Gladinet Triofox** is affected by **CVE-2025-12480**, a **critical improper access control flaw** that let attackers reach restricted setup pages and turn the issue into **code...
Gladinet Triofox actively exploited improper access control flaw (CVE-2025-12480)
VulnerabilityAbout this happening: **Gladinet Triofox** is affected by **CVE-2025-12480**, a **critical improper access control flaw** that let attackers reach restricted setup pages and turn the issue into **code...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
Campaign
First: 10.11.2025 22:49
Last: 10.11.2025 22:49
Sources 1
About this happening:
The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
CampaignAbout this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/Mitigation
First: 10.10.2025 22:08
Last: 10.10.2025 22:08
Sources 1
How related:
Users of Gladinet CentreStack and Triofox are recommended to upgrade to version 16.12.10420.56791 (released on December 8) as soon as possible and also rotate the machine keys.
About this happening:
**CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Gladinet CentreStack and Triofox workaround for CVE-2025-11371
Advisory/MitigationHow related: Users of Gladinet CentreStack and Triofox are recommended to upgrade to version 16.12.10420.56791 (released on December 8) as soon as possible and also rotate the machine keys.
About this happening: **CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...
Timeline
-
11.12.2025 07:56 3 articles · 5mo ago
Gladinet CentreStack and Triofox active exploitation wave
Initial DisclosureThe early wave centers on repeated forged-ticket requests from **147.124.216[.]205** against **Gladinet CentreStack** and **Triofox**, with the aim of reaching **web.config** through **/storage/filesvr.dn**.
Show sources
- Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution — thehackernews.com — 11.12.2025 07:56
- Active Attacks Exploit Gladinet's Hard-Coded Keys for Unauthorized Access and Code Execution — thehackernews.com — 11.12.2025 07:56
- Hackers exploit Gladinet CentreStack cryptographic flaw in RCE attacks — www.bleepingcomputer.com — 11.12.2025 23:49