Huntress has identified an active wave of attacks targeting Gladinet CentreStack instances, enabling attackers to extract cryptographic keys and ultimately achieve remote code execution. The campaign exploits a cryptographic design flaw that allows adversaries to retrieve sensitive configuration data and abuse ASP.NET ViewState deserialization. Multiple organizations across critical sectors have already been impacted, prompting urgent mitigation guidance.

Gladinet CentreStack is a mobile access and secure file-sharing platform widely used by enterprises to provide cloud-like file access on private infrastructure. Due to its role in handling authentication, session management, and encrypted communications, weaknesses in its cryptographic implementation pose a high risk. Previous CentreStack vulnerabilities exploited this year demonstrate that the platform has been under sustained adversarial interest.

According to Huntress, attackers are exploiting a newly identified insecure cryptography flaw in CentreStack to access the application’s web.config file. This file contains a machineKey, a critical cryptographic secret used by ASP.NET applications to protect authentication tickets and ViewState data.

Huntress observed attackers crafting malicious requests that the application inherently trusts, allowing repeated retrieval of sensitive configuration data. In at least nine confirmed cases, organizations across healthcare, technology, and other sectors were compromised. The attackers also created non-expiring tickets, enabling persistent access without repeated exploitation.

CentreStack relies on two static 100-byte strings to derive cryptographic keys. Because these values never change, attackers who obtain them once can reuse them indefinitely.

With access to the machineKey, adversaries can:

This technique mirrors exploitation patterns seen earlier this year in CVE-2025-30406 and CVE-2025-11371, where ViewState manipulation enabled remote code execution. In this case, the lack of cryptographic key rotation significantly lowers the barrier to exploitation.

Successful exploitation grants attackers full control over the affected CentreStack instance. This includes persistent access, arbitrary command execution, and potential lateral movement within connected environments.

Given CentreStack’s role in file access and identity workflows, compromise can expose sensitive data, credentials, and downstream systems. The ability to reuse a single malicious URL indefinitely further increases operational risk.

This incident highlights a recurring class of failures: static cryptographic material embedded in production systems. Even without a published CVE, real-world exploitation demonstrates that design-level cryptography flaws can be as dangerous as traditional memory corruption bugs.

For defenders, this reinforces the importance of rapid patching, key rotation, and monitoring for anomalous configuration access.

Huntress emphasized that the unchanging nature of the cryptographic keys dramatically amplified attacker capabilities. Once extracted, the keys enabled both decryption of legitimate data and creation of attacker-controlled payloads that the server inherently trusted.

The lack of early public disclosure or a CVE also complicates detection and response efforts.