**Name of the Vulnerable Software and Affected Versions:**

Gladinet CentreStack versions prior to 16.4.10315.56368

Gladinet Triofox versions prior to 16.4.10317.56372

**Description:**

Gladinet CentreStack and Triofox are affected by a deserialization vulnerability due to the use of a hardcoded `machineKey` in the CentreStack portal. This allows threat actors who know the `machineKey` to serialize a payload for server-side deserialization, achieving remote code execution (RCE). Exploitation of this vulnerability has been observed in the wild since March 2025, and as of April 21, 2025, exploitation continues even on systems with the patch applied, potentially due to failures in automatic `machineKey` rotation. Approximately 120 endpoints across seven organizations have been compromised. Threat actors have been observed enumerating the host and Active Directory environment, reading configuration files, and executing malicious payloads in memory.

**Recommendations:**

Gladinet CentreStack versions prior to 16.4.10315.56368: Apply the latest update to version 16.4.10315.56368 or later. If patching is not immediately available, manually rotate the `machineKey` in the `portalweb.config` file.

Gladinet Triofox versions prior to 16.4.10317.56372: Update to version 16.4.10317.56372 or later.