Security Flaw in Gladinet CentreStack and Triofox Puts Organizations at Risk

A critical vulnerability recently discovered in Gladinet CentreStack also extends its impact to the Triofox remote access and collaboration solution, leaving several organizations exposed to cyber attacks. This security flaw, tracked as CVE-2025-30406, has been actively exploited in the wild, affecting at least seven organizations. Here’s a deep dive into what this means for users of CentreStack and Triofox, and how they can protect themselves.

Security Flaw Explained: CVE-2025-30406

Tracked under CVE-2025-30406, this vulnerability presents a severe risk due to the use of hardcoded cryptographic keys within the software’s configuration. These keys are exposed in a way that allows attackers to initiate remote code execution attacks on internet-accessible servers. A CVSS score of 9.0 categorizes the flaw as critical, making it a high-priority issue for organizations using these systems.

Gladinet CentreStack addressed the vulnerability in its latest version, 16.4.10315.56368, released on April 3, 2025. However, the flaw also affects Gladinet Triofox versions up to 16.4.10317.56372, with the security issue stemming from the same hardcoded cryptographic keys being present in their configuration files. As a result, attackers can exploit these keys for remote code execution.

The exploit was actively used as a zero-day in March 2025, though the exact nature of the attacks remains unclear. According to cybersecurity research firm Huntress, telemetry data indicates that the vulnerability has already impacted seven organizations. These organizations were compromised after attackers leveraged the flaw to deploy malicious payloads.

How Attackers Exploit the Vulnerability

Upon gaining access to vulnerable systems, attackers have been observed using PowerShell scripts to sideload a DLL, a tactic also seen in recent attacks that targeted the CrushFTP flaw. From there, the attackers conducted lateral movement within the network and installed MeshCentral for remote access. To carry out these attacks, the perpetrators used Impacket PowerShell commands to enumerate network data and install MeshAgent, a tool for remote system management.

While the scale of the attacks and the

What Undercode Says:

From a broader perspective, this security incident underscores the ongoing challenge of protecting systems from attacks that exploit inherent software vulnerabilities, particularly those related to cryptographic practices. The use of hardcoded keys is a known weak point in many applications, but it’s still not uncommon in software development, especially in complex systems such as remote access solutions.

In this case, the exploitation of Gladinet’s software demonstrates a fundamental security oversight that has led to real-world consequences. The fact that this vulnerability was actively exploited as a zero-day attack in March 2025 points to an urgent need for better monitoring and patching mechanisms within the affected products.

Furthermore, while the update to CentreStack has been released, the fact that Triofox versions remained vulnerable until the discovery of the flaw is concerning. This suggests that the vendor’s patching practices may not have been proactive enough. Users who fail to update to the latest versions of both CentreStack and Triofox are left exposed to ongoing exploitation attempts, which could lead to the theft of sensitive data or further malicious activity within their networks.

Looking at the bigger picture, this attack aligns with trends seen in other recent cyber incidents, such as those exploiting hardcoded credentials or insecure configurations in widely used software. As remote work and cloud-based collaboration tools become more central to business operations, the security of these tools will remain a high priority.

The use of advanced lateral movement tactics, such as the deployment of MeshCentral and MeshAgent, highlights the sophistication of modern cybercriminals. These tools allow attackers to gain persistent access to compromised networks, which increases the difficulty of detecting and mitigating the attack. Organizations that rely on these tools for collaboration must ensure they have robust monitoring and incident response practices in place to quickly detect any signs of compromise.

Fact Checker Results:

The CVE-2025-30406 vulnerability has been actively exploited, impacting at least seven organizations.
Gladinet CentreStack addressed the issue in version 16.4.10315.56368, released on April 3, 2025.
The exploitation of the vulnerability involved the deployment of malicious DLLs, PowerShell scripts, and MeshCentral for remote access.