Active Exploitation of Hard-Coded Cryptographic Keys in Gladinet Products Leads to RCE

13 Dec 2025

vulnerabilityhard-coded keyscryptographic keysremote code executionRCEdeserializationCentreStackTriofoxGladinetactive exploitationunpatched vulnerability

Huntress has reported an actively exploited vulnerability in Gladinet's CentreStack and Triofox products, attributed to the use of hard-coded cryptographic keys. This vulnerability allows attackers to access the web.config file, facilitating malicious deserialization and remote code execution (RCE). Security researcher Bryan Masters has documented this threat, which has affected nine organizations to date. Notably, no CVE identifier or specific exploitation timeline has been disclosed as of this report. The technical implications of this vulnerability are severe. Hard-coded cryptographic keys can be extracted by attackers, enabling unauthorized access to sensitive configuration files such as web.config. In ASP.NET applications, manipulation of the web.config file can lead to malicious deserialization—a critical vulnerability where attackers inject serialized data to execute arbitrary code on the server. This results in full system compromise, allowing attackers to exfiltrate data, deploy malware, or pivot to other network segments. The impact on the cybersecurity landscape is significant due to the active exploitation of this vulnerability. The absence of a CVE and the ongoing exploitation indicate that this is an unpatched vulnerability, increasing the urgency for affected organizations to respond. The involvement of multiple victims underscores the attractiveness of this target to threat actors. For cybersecurity professionals, this incident highlights the persistent risk of hard-coded secrets in enterprise software. Organizations using CentreStack or Triofox should prioritize the following actions:

Immediate Assessment: Identify and inventory all instances of the affected products within the environment.
Vendor Guidance: Monitor communications from Gladinet for official patches or mitigation strategies.
Incident Response: Assume compromise and initiate threat hunting activities to detect any signs of exploitation, such as unauthorized modifications to web.config or suspicious process execution. Given the severity of RCE vulnerabilities, it is critical to treat this threat with the highest priority. Until a patch is available, organizations should follow vendor guidance and consider implementing compensating controls to reduce exposure. This vulnerability underscores the importance of secure development practices, particularly the avoidance of hard-coded credentials and keys. Regular security audits and penetration testing can help identify such flaws before they are exploited by malicious actors.

Active Exploitation of Hard-Coded Cryptographic Keys in Gladinet Products Leads to RCE

13 Dec 2025

vulnerabilityhard-coded keyscryptographic keysremote code executionRCEdeserializationCentreStackTriofoxGladinetactive exploitationunpatched vulnerability

Immediate Assessment: Identify and inventory all instances of the affected products within the environment.
Vendor Guidance: Monitor communications from Gladinet for official patches or mitigation strategies.
Incident Response: Assume compromise and initiate threat hunting activities to detect any signs of exploitation, such as unauthorized modifications to web.config or suspicious process execution. Given the severity of RCE vulnerabilities, it is critical to treat this threat with the highest priority. Until a patch is available, organizations should follow vendor guidance and consider implementing compensating controls to reduce exposure. This vulnerability underscores the importance of secure development practices, particularly the avoidance of hard-coded credentials and keys. Regular security audits and penetration testing can help identify such flaws before they are exploited by malicious actors.