A cryptographic flaw in Gladinet CentreStack and Triofox is being actively exploited, with intrusions already reported across multiple sectors. The issue combines a recently disclosed cryptography vulnerability with an older local file inclusion bug (CVE-2025-30406), and it is not yet assigned a formal CVE identifier for the new flaw. Researchers warn that attackers can leverage hardcoded AES keys to forge Access Tickets, then modify their timestamps to the year 9999 before probing for the server’s web.config file to extract the machineKey, which enables remote code execution (RCE).
So far, at least nine organizations have fallen victim to these attacks, underscoring the breadth of impact across different industries. The combination of vulnerable CentreStack and Triofox deployments with the dual risk of key compromise and RCE makes timely remediation especially important.
What to do right now:
- Upgrade vulnerable Gladinet CentreStack and Triofox installations to the latest release issued this week.
- Rotate machine keys on affected and any adjacent systems to prevent further exploitation.
- Monitor logs for indicators of compromise, including the specific string vghpI7EToZUDIZDdprSubL3mTZ2, which researchers associate with the encrypted file path and potential attack activity.
For organizations using these products, rapid action is advised to reduce exposure and prevent further intrusions. If you’re unsure whether your environment is affected, consult your vendor’s security advisory and apply the recommended safeguards promptly.
And this is the part most people miss: even with a patch, comprehensive defense requires ongoing monitoring and validation across the entire stack. Have you completed a full audit of access controls, key management practices, and log retention to ensure you can detect and respond to similar flaws in the future?
