A recently discovered security vulnerability in Gladinet CentreStack and Triofox software is currently being exploited by attackers in the wild. This critical flaw, tracked as CVE-2025-30406, poses a significant risk to organizations that use these platforms for file-sharing and remote access, as it can lead to remote code execution (RCE) and full server compromise. Discovered by security researchers at Huntress, the issue is related to a deserialization flaw caused by the software’s use of a hardcoded machineKey.
CVE-2025-30406: A Deserialization Vulnerability That Opens the Door to RCE
CVE-2025-30406 has been given a critical CVSS score of 9.0 due to its potential for exploitation. The flaw stems from the use of hardcoded keys in the web.config file of Gladinet CentreStack and Triofox. These keys are intended to secure ASP.NET ViewState data, which maintains the state of a web page between HTTP requests. However, the improper protection of these machineKeys allows attackers to forge ViewState payloads that pass integrity checks.
Once attackers obtain or predict the machineKey, they can exploit the vulnerability to trigger ViewState deserialization attacks. In such attacks, attackers can execute arbitrary code on the vulnerable web server, potentially gaining remote access to sensitive systems. This flaw was first exploited in March 2025 and has already led to at least seven organizations being compromised, with hundreds of vulnerable servers exposed to the Internet.
On April 3, 2025, Gladinet released an update to address CVE-2025-30406, patching the vulnerability in version 16.4.10315.56368. The fix improves key management practices to mitigate the exposure, and for those unable to immediately update, rotating the machineKey values provides an effective temporary mitigation.
A Growing Threat: Exploitation in the Wild and Implications for Organizations
As of April 11, 2025, Huntress reported observing suspicious activity associated with CVE-2025-30406. The threat actors involved have used this exploit to gain access to vulnerable systems, employing advanced techniques such as lateral movement and the installation of MeshCentral remote access tools. The researchers also discovered that attackers were using PowerShell commands to download and execute a malicious DLL, a technique that mirrors recent exploits like those targeting CrushFTP.
The severity of this flaw cannot be understated, as the vulnerability is easily exploitable, requiring nothing more than knowledge of the default machineKey values. The risk is particularly high for organizations that expose their Gladinet CentreStack or Triofox servers to the internet. Huntress has detected at least 120 endpoints running the vulnerable software and urges all affected organizations to patch their systems as soon as possible.
What Undercode Says: An In-Depth Analysis
The security community has long been aware of the risks associated with deserialization vulnerabilities, but CVE-2025-30406 underscores just how critical these flaws can be when coupled with improper key management. By hardcoding sensitive keys like the machineKey in the web.config file, both Gladinet CentreStack and Triofox inadvertently created an attack vector that is easy to exploit. This is a stark reminder that even seemingly small oversights in configuration can lead to catastrophic consequences.
The issue also highlights a common problem in the web application development world: the reliance on default configurations or weakly protected credentials. Attackers, particularly in today’s threat landscape, are adept at finding and exploiting these overlooked weaknesses. The fact that CVE-2025-30406 has been actively exploited in the wild since its discovery should be a wake-up call for organizations to review their security posture and ensure that all software they use is up to date with the latest patches.
Furthermore, the exploitation of this vulnerability demonstrates the evolving tactics of threat actors. Rather than relying solely on direct server compromises, attackers are increasingly using lateral movement techniques to spread across networks, often installing tools like MeshCentral to maintain persistent access. The use of PowerShell to download and execute a DLL is also indicative of the growing sophistication of these attacks, making them harder to detect and mitigate.
Organizations should also take note of the recommendations provided by Huntress and CISA, both of which stress the importance of patching affected systems or, in the interim, rotating the machineKey values to reduce the risk of exploitation. Given the widespread nature of this vulnerability, it is crucial for organizations to act swiftly.
Fact Checker Results:
- Vulnerability Exists: CVE-2025-30406 is confirmed to be a critical flaw in both Gladinet CentreStack and Triofox, with an active exploitation campaign in the wild.
- Severity Rating: The CVSS score of 9.0 reflects the high severity of the issue, which can lead to remote code execution if left unaddressed.
- Effective Patch Available: Gladinet has released a patch for CVE-2025-30406 that addresses the deserialization vulnerability by improving key management.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
