CVE-2025-30406

Published Apr 3, 2025

Last updated 4 days ago

Exploit knownCVSS critical 9.0
Gladinet CentreStack

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-30406 is a vulnerability affecting Gladinet CentreStack, a cloud-based enterprise file-sharing platform. It stems from the use of a hard-coded cryptographic key within the application's web configuration files (web.config). This key is used for ViewState integrity verification. Successful exploitation of this flaw allows an attacker to forge ViewState payloads. This enables server-side deserialization, ultimately leading to remote code execution. The vulnerability is classified as CWE-321, which highlights the risks associated with using hard-coded cryptographic keys.

Description
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Source
cve@mitre.org
NVD status
Analyzed

Insights

Analysis from the Intruder Security Team
Published Apr 14, 2025 Updated Apr 14, 2025

This vulnerability is caused by the installer for the application using a hardcoded value for the validation and decryption key (sometimes known as the machine keys). These values are the same for all instances created by the vulnerable installer, and so an attacker can find these keys for your instance very easily.

If an attacker possesses these keys, they can execute code of their choice on the server remotely using well-known methods.

Updating to the latest version will cause the keys to be regenerated to secret values.

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Exploit added on
Apr 8, 2025
Exploit action due
Apr 29, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org
CWE-321
nvd@nist.gov
CWE-798

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

7

  1. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    24 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Exploit for CVE-2025-30406(Gladinet CentreStack & Triofox) https://t.co/VBcXuxBaFI https://t.co/bP6QnZ8Af0

    @W01fh4cker

    24 Apr 2025

    2019 Impressions

    10 Retweets

    23 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  3. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    23 Apr 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. I have just written a proof of concept (PoC) for CVE-2025-30406, a deserialization vulnerability resulting from the abuse of a hardcoded machine key. This vulnerability is easily exploitable, as demonstrated by @_JohnHammond as well. Be sure to upgrade your Gladinet CentreStack h

    @gothburz

    22 Apr 2025

    4260 Impressions

    11 Retweets

    100 Likes

    6 Bookmarks

    2 Replies

    0 Quotes

  5. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    22 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Huntress continues to observe in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in Gladinet CentreStack and Triofox

    @HuntressLabs

    22 Apr 2025

    2660 Impressions

    9 Retweets

    29 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  7. 2025 Bug Bounties! Hunt: CVE-2025-30406: Gladinet key CVE-2025-29824: Windows EoP CVE-2025-24054: NTLM theft CVE-2025-24813: Tomcat bug CVE-2025-32433: SSH RCE Burp, Amass. Big bounties! Get Bug Bounty Guide 2025! #BugBounty #VulnHunting2025 https://t.co/tin4q4LnYa

    @Viper_Droidd

    21 Apr 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    21 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Active exploitation of CVE-2025-30406 C2 IP: 146.70.41.178

    @_horus_labs

    21 Apr 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    20 Apr 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    19 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    18 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  13. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    17 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    16 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  15. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    16 Apr 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  16. does anyone know the machinekey for CVE-2025-30406? cant be bothered to find it myself lol

    @PsExec64

    16 Apr 2025

    1650 Impressions

    0 Retweets

    8 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  17. Critical vulnerability CVE-2025-30406 is being exploited in Gladinet CentreStack and Triofox software, risking remote code execution. Urgent updates are necessary! ⚠️ #CVE2025 #Gladinet #USSecurity link: https://t.co/7FpM27Az43 https://t.co/OwsJdWMBpE

    @TweetThreatNews

    15 Apr 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 Critical RCE flaw in Gladinet’s Triofox & CentreStack is under active attack. A hardcoded crypto key (CVE-2025-30406, CVSS 9.0) is being exploited in the wild—allowing remote code execution on internet-facing servers. 👇 https://t.co/cbEtfGm0qm

    @efani

    15 Apr 2025

    367 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  19. CVE-2025-30406 in Gladinet CentreStack/Triofox is under active attack. RCE via hardcoded machineKey lets hackers escalate to SYSTEM. Patch now or rotate keys—CISA flags it critical. https://t.co/uKKJv0Ruer #cybersecurity

    @dCypherIO

    15 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    15 Apr 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  21. #GladinetCentreStack users - you can now check for CVE-2025-30406 with Intruder ✔️ Our active check is live, so you can find out fast if you're at risk. 👉 Sign up for free to scan your environment today: https://t.co/qgJyxj5rL5 https://t.co/fhEXlwpATD

    @intruder_io

    15 Apr 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 New CISA Alert! Gladinet CentreStack flaw (CVE-2025-30406, CVSS 9.0) is actively exploited. ▶️ Hard-coded machineKey enables remote code execution. ▶️ Exploited as a zero-day in March 2025. Patch or rotate keys now. https://t.co/o53mPy8NP0

    @achi_tech

    15 Apr 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. csirt_it: ‼ #Exploited #Gladinet: rilevato sfruttamento in rete della CVE-2025-30406 relativa al prodotto #CentreStack Rischio: 🟠 Tipologia: 🔸 Remote Code Execution 🔗 https://t.co/6uEpbChyar 🔄 Aggiornamenti disponibili 🔄 https://t.co/SrKKSRYKAO

    @Vulcanux_

    15 Apr 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🚨 Critical RCE Alert: CVE-2025-30406 A new vulnerability in Gladinet CentreStack & Triofox software is being exploited in the wild — with 7 orgs already compromised since March 2025.  CVSS Score: 9.0  Affected: Triofox ≤ v16.4.10317.56372  Exploit: Remote code execution h

    @modat_magnify

    15 Apr 2025

    51 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  25. 🚨 Critical RCE Alert: CVE-2025-30406 A new vulnerability in Gladinet CentreStack & Triofox software is being exploited in the wild — with 7 orgs already compromised since March 2025.  CVSS Score: 9.0  Affected: Triofox ≤ v16.4.10317.56372  Exploit: Remote code execution h

    @modat_magnify

    15 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. A critical RCE vulnerability (CVE-2025-30406) in Gladinet's CentreStack and Triofox software threatens organizations with a CVSS score of 9.0. Seven victims reported exploitation. ⚠️ #Gladinet #RemoteCodeExecution #USA link: https://t.co/iw50WYHjEs https://t.co/Rn2S7y6LIx

    @TweetThreatNews

    15 Apr 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 📌 تم اكتشاف ثغرة أمنية خطيرة في Gladinet CentreStack تؤثر أيضًا على Triofox، مما تسبب في اختراق سبع منظمات حتى الآن. تُعرف هذه الثغرة بـ CVE-2025-30406 (تقييم CVSS: 9.0) وتتعلق باستخدام مفتاح تشفيري ثابت، مما يعرض الخوادم المتصلة بالإنترنت لهجمات تنفيذ الشيفرة عن بُعد. #الامن…

    @Cybercachear

    15 Apr 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Huntress、重要なGladinetの脆弱性が実際に悪用されている状況を記録(CVE-2025-30406) https://t.co/K57ZmXR2FO #Security #セキュリティ #ニュース

    @SecureShield_

    15 Apr 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    15 Apr 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  30. Gladinet CentreStack 及びTriofoxにおける重大(Critical)な脆弱性の悪用について。Huntress社報告。CVE-2025-30406はCVSSスコア9で、4月に既知の悪用された脆弱性カタログに登録されたもの。ASPX ViewState保護を迂回しコード実行が可能。PowerShellコマンドからの悪用。 https://t.co/UJTJbYaEth

    @__kokumoto

    14 Apr 2025

    34 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Attackers are exploiting CentreStack’s CVE-2025-30406—a deserialization flaw tied to a hardcoded machineKey.  We spotted an exploit attempt, isolated the server, & confirmed no further compromise—despite a patch being in place.  What MSPs must do:  ➡️ https://t.co/85Qwk2KTd

    @BlackpointUS

    14 Apr 2025

    69 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. CVE-2025-30406 is a critical (CVSS 9.8) vulnerability in Gladinet CentreStack. The issue is caused by the installer using hardcoded values for the validation and decryption key. Get the latest from our security team: https://t.co/Xseu2rT2MY https://t.co/RXNRpYGxYg

    @intruder_io

    14 Apr 2025

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. Huntress has observed in-the-wild exploitation of CVE-2025-30406, a critical vulnerability in the Gladinet CentreStack enterprise file-sharing platform.

    @HuntressLabs

    14 Apr 2025

    5640 Impressions

    12 Retweets

    35 Likes

    2 Bookmarks

    2 Replies

    0 Quotes

  34. Top 5 Trending CVEs: 1 - CVE-2021-35587 2 - CVE-2025-30406 3 - CVE-2023-43622 4 - CVE-2025-24813 5 - CVE-2025-3248 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    13 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. I got a proof-of-concept working for CVE-2025-30406, recently added to CISA's KEV. It's point and shoot 🙃 https://t.co/Wimc183h0h

    @_JohnHammond

    12 Apr 2025

    39691 Impressions

    66 Retweets

    615 Likes

    191 Bookmarks

    9 Replies

    0 Quotes

  36. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    11 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  37. 🚨 Attention IT professionals and security teams! A critical flaw (CVE-2025-30406) in Gladinet CentreStack has been actively exploited. This vulnerability can allow attackers to gain full control over your systems through remote code execution.

    @fynn_JourX

    11 Apr 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  38. We added Microsoft Windows and Gladinet CentreStack vulnerabilities CVE-2025-29824 & CVE-2025-30406 to our Known Exploited Vulnerabilities Catalog. mitigations to protect your org from cyberattacks. #InfoSec https://t.co/e4qh8xysog

    @GlobalCyberCom

    10 Apr 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  39. Zero-day RCE (CVE-2025-30406) in CentreStack exploited in the wild! Hardcoded machineKey lets hackers run malicious code on file-sharing servers. Patch ASAP or rotate keys. CISA sets April 29 deadline. https://t.co/hktIkTc21t #infosec #cybersecurity

    @dCypherIO

    10 Apr 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  40. 🚨 CISA warns of active exploits targeting CentreStack CVE-2025-30406, CVSS 9.0 — a hard-coded machineKey flaw enables remote code execution via ViewState tampering. Patch released Apr 3. Users urged to update or rotate keys ASAP.https://t.co/AO0UYqbcyP https://t.co/AO0UYqbcyP h

    @CareWeDoNot

    10 Apr 2025

    44 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  41. Actively exploited CVE : CVE-2025-30406

    @transilienceai

    10 Apr 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  42. #Hackers exploited a zero-day #vulnerability in Gladinet CentreStack's file-sharing software since March, breaching storage servers. The flaw, CVE-2025-30406, involves a hardcoded machineKey, allowing malicious payload execution☝️🤖 https://t.co/lXTsz5DETw https://t.co/3ZWbt8msC

    @manuelbissey

    10 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. CISA has identified two critical vulnerabilities: CVE-2025-30406 in Gladinet CentreStack and CVE-2025-29824 in Microsoft Windows. Immediate patching is essential to protect systems! 🔒🛡️ #Gladinet #Windows #USA link: https://t.co/uZqreQTTqX https://t.co/fAgih7xJO7

    @TweetThreatNews

    9 Apr 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  44. 📌 أصدرت وكالة الأمن السيبراني والبنية التحتية الأمريكية (CISA) تحذيراً من ثغرة خطيرة في Gladinet CentreStack، تم تصنيفها كإحدى الثغرات المستغلة حالياً. الثغرة، المعروفة باسم CVE-2025-30406، تتعلق بمفتاح تشفير مُدمج يمكن استغلاله لتنفيذ هجمات عن بعد. #الامن_السيبراني https://t.c

    @Cybercachear

    9 Apr 2025

    31 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 🚨 New CISA Alert! Gladinet CentreStack flaw (CVE-2025-30406, CVSS 9.0) is actively exploited. ▶️ Hard-coded machineKey enables remote code execution. ▶️ Exploited as a zero-day in March 2025. 🔗 Details: https://t.co/308nOEzlbJ Patch or rotate keys now.

    @TheHackersNews

    9 Apr 2025

    8959 Impressions

    30 Retweets

    51 Likes

    4 Bookmarks

    2 Replies

    0 Quotes

  46. 🛡️ We added Microsoft Windows and Gladinet CentreStack vulnerabilities CVE-2025-29824 & CVE-2025-30406 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec https:

    @CISACyber

    8 Apr 2025

    119 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🚨 CVE-2025-30406 ⚠️🔴 CRITICAL (9) 🏢 Gladinet - CentreStack 🏗️ 0 🔗 https://t.co/YAf8b7vrCI 🔗 https://t.co/rzdrNR6ePV #CyberCron #VulnAlert #InfoSec https://t.co/EXQCg5LfvA

    @cybercronai

    4 Apr 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. CVE-2025-30406 Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use… https://t.co/Uw9EBelimM

    @CVEnew

    4 Apr 2025

    314 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. ⚠️Triofox Security Advisory: CVE-2025-30406 - Please read this PDF for important remediation steps to protect your deployment. https://t.co/xhZxHkQSrM

    @gladinet

    4 Apr 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations