CVE-2025-30406

Published Apr 3, 2025

Last updated 4 days ago

Gladinet CentreStack

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-30406 is a vulnerability affecting Gladinet CentreStack, a cloud-based enterprise file-sharing platform. It stems from the use of a hard-coded cryptographic key within the application's web configuration files (web.config). This key is used for ViewState integrity verification. Successful exploitation of this flaw allows an attacker to forge ViewState payloads. This enables server-side deserialization, ultimately leading to remote code execution. The vulnerability is classified as CWE-321, which highlights the risks associated with using hard-coded cryptographic keys.

Description: Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Source: cve@mitre.org
NVD status: Analyzed

Insights

Analysis from the Intruder Security Team

Published Apr 14, 2025 Updated Apr 14, 2025

This vulnerability is caused by the installer for the application using a hardcoded value for the validation and decryption key (sometimes known as the machine keys). These values are the same for all instances created by the vulnerable installer, and so an attacker can find these keys for your instance very easily.

If an attacker possesses these keys, they can execute code of their choice on the server remotely using well-known methods.

Updating to the latest version will cause the keys to be regenerated to secret values.

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Exploit added on: Apr 8, 2025
Exploit action due: Apr 29, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

cve@mitre.org: CWE-321
nvd@nist.gov: CWE-798

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 7

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:gladinet:centrestack:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D44CE026-3259-4767-8AE9-0580BD0A3668",
            "versionEndExcluding": "16.4.10315.56368"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]