Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Gladinet CentreStack and Triofox hardcoded AES keys RCE flaw

Vulnerability
First reported
Last updated
Happening score
H score 64
1 unique sources, 1 articles

Summary

Hide ▲

A new Gladinet CentreStack and Triofox vulnerability in the products' custom AES implementation is being actively exploited to recover hardcoded cryptographic keys and enable remote code execution. Gladinet told customers to upgrade and rotate machine keys, while researchers said the abuse had already targeted at least nine organizations. The flaw affects secure remote file access and sharing systems, making exposed deployments a direct takeover risk.

Cases

Gladinet machine-key exploitation chain (5)

Related Happenings

Clop ransomware campaign targeting Gladinet CentreStack servers

Campaign
First: 18.12.2025 22:16 Last: 18.12.2025 22:16 Sources 1

About this happening: The **Clop/Cl0p ransomware gang** is running a **data theft extortion campaign** against **Internet-exposed Gladinet CentreStack file servers**, raising the risk of compromise for...

Open Happening

Gladinet CentreStack and Triofox active exploitation wave

Exploitation Wave
First: 11.12.2025 07:56 Last: 11.12.2025 07:56 Sources 1

How related: Security researchers at managed cybersecurity platform Huntress are aware of at least nine organizations targeted in attacks leveraging the new vulnerability along with an older one tracked as CVE-2025-30406 - a local file inclusion flaw that allows a local attacker to access system files without authentication.

About this happening: Active exploitation of **Gladinet CentreStack** and **Triofox** has affected **at least nine organizations**, creating risk of unauthorized access and follow-on **remote code exec...

Open Happening

UNC6485 Triofox CVE-2025-12480 exploitation campaign

Campaign
First: 10.11.2025 22:49 Last: 10.11.2025 22:49 Sources 1

About this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...

Open Happening

Gladinet CentreStack and Triofox workaround for CVE-2025-11371

Advisory/Mitigation
First: 10.10.2025 22:08 Last: 10.10.2025 22:08 Sources 1

How related: Users of Gladinet CentreStack and Triofox are recommended to upgrade to version 16.12.10420.56791 (released on December 8) as soon as possible and also rotate the machine keys.

About this happening: **CentreStack** and **Triofox** are affected by **CVE-2025-11371**, a **local file inclusion zero-day** that threat actors have **abused since late September** to read **Web.confi...

Open Happening

Gladinet CentreStack and TrioFox actively exploited unauthenticated LFI remote code execution flaw (multiple vulnerabilities)

Vulnerability
First: 10.10.2025 12:34 Last: 10.10.2025 12:34 Sources 1

About this happening: **Gladinet CentreStack** is now patched for **CVE-2025-11371**, an **unauthenticated local file inclusion** flaw that threat actors have used as a **zero-day** since **late Septem...

Latest development: 05.11.2025 08:12

Huntress detected active exploitation attempts targeting CVE-2025-11371 in Gladinet CentreStack and Triofox, with unknown threat actors using Base64-encoded payloads to run reconnaissance commands such as ipconfig /all against exposed systems. CISA also added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog, and FCEB agencies were required to apply the necessary fixes by November 25, 2025.

Open Happening

Timeline

  1. 11.12.2025 02:00 1 articles · 5mo ago

    Gladinet releases patched CentreStack and Triofox build

    Mitigation Patch Update

    Gladinet released version 16.12.10420.56791 for CentreStack and Triofox on December 8 and urged customers to upgrade promptly and rotate machine keys to reduce exposure to the newly disclosed cryptographic flaw.

    Show sources
    Open in new tab
  2. 11.12.2025 02:00 1 articles · 5mo ago

    Huntress confirms nine organizations targeted

    Campaign Scope Update

    By December 10, Huntress had confirmed nine organizations targeted across sectors including healthcare and technology, showing that active abuse of the Gladinet CentreStack and Triofox flaw had spread beyond a single victim.

    Show sources
    Open in new tab
  3. 11.12.2025 02:00 2 articles · 5mo ago

    Gladinet discloses active exploitation of CentreStack and Triofox flaw

    Initial Disclosure

    Gladinet notified customers about an undocumented cryptographic vulnerability in CentreStack and Triofox, said the issue was being exploited in the wild, and shared IoCs that Huntress used to trace hardcoded AES keys in GladCtrl64.dll, forged Access Tickets through filesvr.dn, and a path toward remote code execution and the vghpI7EToZUDIZDdprSubL3mTZ2 indicator.

    Show sources
    Open in new tab