Hackers are exploiting a new, undocumented vulnerability in the implementation of the cryptographic algorithm present in Gladinet's CentreStack and Triofox products for secure remote file access and sharing.
By leveraging the security issue, the attackers can obtain hardcoded cryptographic keys and achieve remote code execution, researchers warn.
Although the new cryptographic vulnerability does not have an official identifier, Gladinet notified customers about it and advised them to update the products to the latest version, which, at the time of the communication, had been released on November 29.
The company also provided customers with a set of indicators of compromise (IoCs), indicating that the issue was being exploited in the wild.
Security researchers at managed cybersecurity platform Huntress are aware of at least nine organizations targeted in attacks leveraging the new vulnerability along with an older one tracked as CVE-2025-30406 - a local file inclusion flaw that allows a local attacker to access system files without authentication.
Hardcoded cryptographic keys
Using the IoCs from Gladinet, Huntress researchers were able to determine where the flaw was and how threat actors are leveraging it.
Huntress found that the issue stems from the custom implementation of the AES cryptographic algorithm in Gladinet CentreStack and Triofox, where the encryption key and Initialization Vector (IV) were hardcoded inside the GladCtrl64.dll file and could be easily obtained.
Specifically, the key values were derived from two static 100-byte strings of Chinese and Japanese text, which were identical across all product installations.
The flaw lies in the processing of the ‘filesvr.dn’ handler, which decrypts the ‘t’ parameter (Access Ticket) using those static keys, Huntress explains.
... continue reading