CVE-2025-30406

Published Apr 3, 2025

Last updated a month ago

Exploit knownCVSS critical 9.0
Gladinet CentreStack

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-30406 is a vulnerability affecting Gladinet CentreStack, a cloud-based enterprise file-sharing platform. It stems from the use of a hard-coded cryptographic key within the application's web configuration files (web.config). This key is used for ViewState integrity verification. Successful exploitation of this flaw allows an attacker to forge ViewState payloads. This enables server-side deserialization, ultimately leading to remote code execution. The vulnerability is classified as CWE-321, which highlights the risks associated with using hard-coded cryptographic keys.

Description
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Source
cve@mitre.org
NVD status
Analyzed

Insights

Analysis from the Intruder Security Team
Published Apr 14, 2025 Updated Apr 14, 2025

This vulnerability is caused by the installer for the application using a hardcoded value for the validation and decryption key (sometimes known as the machine keys). These values are the same for all instances created by the vulnerable installer, and so an attacker can find these keys for your instance very easily.

If an attacker possesses these keys, they can execute code of their choice on the server remotely using well-known methods.

Updating to the latest version will cause the keys to be regenerated to secret values.

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Exploit added on
Apr 8, 2025
Exploit action due
Apr 29, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org
CWE-321
nvd@nist.gov
CWE-798

Social media

Hype score
Not currently trending

  1. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    15 May 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. MSSPs & MSPs are prime targets: a single exploited vulnerability can trigger multi-organization breaches. In @msspalert, Co-founder and Picus Labs VP @su13ym4n explains the risks revealed by the recent CentreStack flaw (CVE-2025-30406). Read more → https://t.co/EE7NgZSggF

    @PicusSecurity

    14 May 2025

    67 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    12 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    10 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    9 May 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Critical Gladinet CentreStack flaw (CVE-2025-30406) threatens MSPs & their customers. @su13ym4n warns: "One server breach can escalate into a multi-organization data disaster." Covered by @ChannelFutures → https://t.co/owgYfuH1e6 #CyberSecurity #MSP https://t.co/0s4YYoLKR

    @PicusSecurity

    8 May 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    8 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    7 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    2 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    1 May 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. 🚨 New #ZeroDay in CentreStack is being exploited in the wild. @DarkReading highlights CVE-2025-30406, a deserialization flaw that threatens MSPs and their clients. 🗣️ Insight from Picus Labs VP @su13ym4n: “If the machineKey is compromised, RCE becomes possible.” Re

    @PicusSecurity

    30 Apr 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    26 Apr 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. Comment: Given that the vulnerability has been actively exploited since March 2025, has there been any analysis regarding the initial attack vector used to exploit CVE-2025-30406, and wh... #Cybersecurity https://t.co/2otvVNUTFH

    @storagetechnews

    26 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Hey! CISA says Gladinet CentreStack has a critical flaw (CVE-2025-30406, score 9.0!) that's ALREADY being exploited! Update ASAP or rotate those machineKeys! #cybersecurity https://t.co/Z5BkSpq7vd

    @storagetechnews

    26 Apr 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    24 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. Exploit for CVE-2025-30406(Gladinet CentreStack & Triofox) https://t.co/VBcXuxBaFI https://t.co/bP6QnZ8Af0

    @W01fh4cker

    24 Apr 2025

    2019 Impressions

    10 Retweets

    23 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  17. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    23 Apr 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  18. I have just written a proof of concept (PoC) for CVE-2025-30406, a deserialization vulnerability resulting from the abuse of a hardcoded machine key. This vulnerability is easily exploitable, as demonstrated by @_JohnHammond as well. Be sure to upgrade your Gladinet CentreStack h

    @gothburz

    22 Apr 2025

    4260 Impressions

    11 Retweets

    100 Likes

    6 Bookmarks

    2 Replies

    0 Quotes

  19. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    22 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  20. Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox

    @HuntressLabs

    22 Apr 2025

    2660 Impressions

    9 Retweets

    29 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  21. 2025 Bug Bounties! Hunt: CVE-2025-30406: Gladinet key CVE-2025-29824: Windows EoP CVE-2025-24054: NTLM theft CVE-2025-24813: Tomcat bug CVE-2025-32433: SSH RCE Burp, Amass. Big bounties! Get Bug Bounty Guide 2025! #BugBounty #VulnHunting2025 https://t.co/tin4q4LnYa

    @Viper_Droidd

    21 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    21 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  23. Active exploitation of CVE-2025-30406 C2 IP: 146.70.41.178

    @_horus_labs

    21 Apr 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    20 Apr 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  25. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    19 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  26. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    18 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  27. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    17 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    16 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  29. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    16 Apr 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. does anyone know the machinekey for CVE-2025-30406? cant be bothered to find it myself lol

    @PsExec64

    16 Apr 2025

    1650 Impressions

    0 Retweets

    8 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  31. Critical vulnerability CVE-2025-30406 is being exploited in Gladinet CentreStack and Triofox software, risking remote code execution. Urgent updates are necessary! ⚠️ #CVE2025 #Gladinet #USSecurity link: https://t.co/7FpM27Az43 https://t.co/OwsJdWMBpE

    @TweetThreatNews

    15 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 🚨 Critical RCE flaw in Gladinet’s Triofox & CentreStack is under active attack. A hardcoded crypto key (CVE-2025-30406, CVSS 9.0) is being exploited in the wild—allowing remote code execution on internet-facing servers. 👇 https://t.co/cbEtfGm0qm

    @efani

    15 Apr 2025

    367 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  33. CVE-2025-30406 in Gladinet CentreStack/Triofox is under active attack. RCE via hardcoded machineKey lets hackers escalate to SYSTEM. Patch now or rotate keys—CISA flags it critical. https://t.co/uKKJv0Ruer #cybersecurity

    @dCypherIO

    15 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    15 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  35. #GladinetCentreStack users - you can now check for CVE-2025-30406 with Intruder ✔️ Our active check is live, so you can find out fast if you're at risk. 👉 Sign up for free to scan your environment today: https://t.co/qgJyxj5rL5 https://t.co/fhEXlwpATD

    @intruder_io

    15 Apr 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. 🚨 New CISA Alert! Gladinet CentreStack flaw (CVE-2025-30406, CVSS 9.0) is actively exploited. ▶️ Hard-coded machineKey enables remote code execution. ▶️ Exploited as a zero-day in March 2025. Patch or rotate keys now. https://t.co/o53mPy8NP0

    @achi_tech

    15 Apr 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. csirt_it: ‼ #Exploited #Gladinet: rilevato sfruttamento in rete della CVE-2025-30406 relativa al prodotto #CentreStack Rischio: 🟠 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/6uEpbChyar 🔄 Aggiornamenti disponibili 🔄 https://t.co/SrKKSRYKAO

    @Vulcanux_

    15 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. 🚨 Critical RCE Alert: CVE-2025-30406 A new vulnerability in Gladinet CentreStack & Triofox software is being exploited in the wild — with 7 orgs already compromised since March 2025.  CVSS Score: 9.0  Affected: Triofox ≤ v16.4.10317.56372  Exploit: Remote code execution h

    @modat_magnify

    15 Apr 2025

    51 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  39. 🚨 Critical RCE Alert: CVE-2025-30406 A new vulnerability in Gladinet CentreStack & Triofox software is being exploited in the wild — with 7 orgs already compromised since March 2025.  CVSS Score: 9.0  Affected: Triofox ≤ v16.4.10317.56372  Exploit: Remote code execution h

    @modat_magnify

    15 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. A critical RCE vulnerability (CVE-2025-30406) in Gladinet's CentreStack and Triofox software threatens organizations with a CVSS score of 9.0. Seven victims reported exploitation. ⚠️ #Gladinet #RemoteCodeExecution #USA link: https://t.co/iw50WYHjEs https://t.co/Rn2S7y6LIx

    @TweetThreatNews

    15 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 📌 تم اكتشاف ثغرة أمنية خطيرة في Gladinet CentreStack تؤثر أيضًا على Triofox، مما تسبب في اختراق سبع منظمات حتى الآن. تُعرف هذه الثغرة بـ CVE-2025-30406 (تقييم CVSS: 9.0) وتتعلق باستخدام مفتاح تشفيري ثابت، مما يعرض الخوادم المتصلة بالإنترنت لهجمات تنفيذ الشيفرة عن بُعد. #الامن…

    @Cybercachear

    15 Apr 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. Huntress、重要なGladinetの脆弱性が実際に悪用されている状況を記録(CVE-2025-30406) https://t.co/K57ZmXR2FO #Security #セキュリティ #ニュース

    @SecureShield_

    15 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    15 Apr 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  44. Gladinet CentreStack 及びTriofoxにおける重大(Critical)な脆弱性の悪用について。Huntress社報告。CVE-2025-30406はCVSSスコア9で、4月に既知の悪用された脆弱性カタログに登録されたもの。ASPX ViewState保護を迂回しコード実行が可能。PowerShellコマンドからの悪用。 https://t.co/UJTJbYaEth

    @__kokumoto

    14 Apr 2025

    34 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  45. Attackers are exploiting CentreStack’s CVE-2025-30406—a deserialization flaw tied to a hardcoded machineKey.  We spotted an exploit attempt, isolated the server, & confirmed no further compromise—despite a patch being in place.  What MSPs must do:  ➡️ https://t.co/85Qwk2KTd

    @BlackpointUS

    14 Apr 2025

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. CVE-2025-30406 is a critical (CVSS 9.8) vulnerability in Gladinet CentreStack. The issue is caused by the installer using hardcoded values for the validation and decryption key. Get the latest from our security team: https://t.co/Xseu2rT2MY https://t.co/RXNRpYGxYg

    @intruder_io

    14 Apr 2025

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.

    @HuntressLabs

    14 Apr 2025

    5640 Impressions

    12 Retweets

    35 Likes

    2 Bookmarks

    2 Replies

    0 Quotes

  48. Top 5 Trending CVEs: 1 - CVE-2021-35587 2 - CVE-2025-30406 3 - CVE-2023-43622 4 - CVE-2025-24813 5 - CVE-2025-3248 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    13 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. I got a proof-of-concept working for CVE-2025-30406, recently added to CISA's KEV. It's point and shoot 🙃 https://t.co/Wimc183h0h

    @_JohnHammond

    12 Apr 2025

    39691 Impressions

    66 Retweets

    615 Likes

    191 Bookmarks

    9 Replies

    0 Quotes

  50. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    11 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.