Zero-Day Exploit in CentreStack: A Major Threat to Managed Service Providers (MSPs)

A serious zero-day vulnerability has been identified in CentreStack, a widely used file-sharing platform by Managed Service Providers (MSPs), which could lead to severe security risks. Discovered in early April 2025, this flaw has already been exploited by cybercriminals, exposing the security of thousands of businesses relying on the platform.

The vulnerability, designated CVE-2025-30406, is a deserialization issue that allows attackers to execute remote code on affected systems. This flaw is especially critical because CentreStack’s platform is crucial for many MSPs who offer file-sharing and management services to clients, potentially putting vast amounts of sensitive data at risk.

the Vulnerability

The deserialization vulnerability in CentreStack allows cyber attackers to craft malicious payloads, bypassing integrity checks and leading to remote code execution (RCE). This flaw stems from a hardcoded machineKey in the IIS web.config file, which is responsible for securing the ASP.NET ViewState data. If an attacker can obtain or guess this cryptographic key, they can manipulate the ViewState data, causing the system to execute their malicious code.

CentreStack is popular among MSPs due to features like multi-tenancy support, white-label branding, and seamless Active Directory integration, making it an attractive choice for secure file management. However, because of these capabilities, exploiting the vulnerability could give attackers privileged access to not only the file-sharing platform but also the networks and data of downstream customers.

The vulnerability has been actively exploited since March 2025, and on April 9, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog. Federal agencies have been instructed to patch the vulnerability by April 29, 2025.

Gladinet, the developer of CentreStack, has issued a security advisory urging customers to upgrade to version 16.4.10315.56368, which automatically generates a unique machineKey for each installation, resolving the issue. For those who cannot immediately update, rotating the machineKey values is recommended as a temporary fix.

What Undercode Say:

The CentreStack zero-day vulnerability highlights an important trend in the evolving landscape of cybersecurity threats targeting Managed Service Providers. As MSPs act as intermediaries, they often provide services across multiple organizations, handling a range of sensitive data, making them an attractive target for cybercriminals. The exploitation of this vulnerability reinforces the necessity for MSPs to adopt stronger security measures and more proactive monitoring.

From a broader cybersecurity perspective, this flaw exemplifies a critical weakness that could lead to massive downstream impact. By compromising a single MSP, an attacker gains access to multiple organizations at once, creating a chain of exposure. This multi-level threat amplifies the consequences, as we saw in the 2024 ConnectWise ScreenConnect exploitation, where vulnerabilities in MSP tools led to widespread ransomware deployments.

Furthermore, the deserialization flaw itself is not unique to CentreStack. While the specifics of the attack may vary, deserialization vulnerabilities have been a common theme in recent cyberattacks, making this a recurring issue in the broader security community. Understanding how these vulnerabilities arise—from hardcoded values like the machineKey to improper data handling—can help security professionals better protect their own systems.

For Gladinet, the security advisory comes at a time when confidence in MSP tools is fragile. As more high-profile attacks target MSP platforms, the trust placed in these services can wane, potentially driving clients to seek alternatives. It’s essential for Gladinet to demonstrate transparency in how they mitigate the issue and prevent similar vulnerabilities in the future. This incident may serve as a critical turning point for MSP-focused cybersecurity, urging more robust defense mechanisms and faster patching protocols.

Given the increasing trend of cyberattacks targeting service providers and platform vulnerabilities, businesses relying on these platforms should always be ready to act quickly, patching vulnerabilities and strengthening security protocols. Cybersecurity must evolve alongside the threats, and a delayed response could mean catastrophic consequences for both service providers and their clients.

Fact Checker Results:

Vulnerability Identification: The CVE-2025-30406 flaw has been confirmed by multiple security agencies, including CISA, to be actively exploited.

– Affected Platforms:

Mitigation Steps: Gladinet has recommended patching to the latest software version or, at a minimum, rotating the machineKey for temporary protection.