Detections
Analytics

CVE-2025-30406

critical

Description

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.

References

https://www.cybereason.com/blog/ttp-briefing-q3-2025

https://www.securityweek.com/gladinet-patches-exploited-centrestack-vulnerability/

https://www.securityweek.com/in-other-news-gladinet-flaw-exploitation-attacks-on-ics-honeypot-clayrat-spyware/

https://www.helpnetsecurity.com/2025/10/10/gladinet-centrestack-vulnerability-exploited-cve-2025-11371/

https://www.databreachtoday.com/hackers-exploit-lfi-flaw-in-file-sharing-platforms-a-29708

https://www.bleepingcomputer.com/news/security/hackers-exploiting-zero-day-in-gladinet-file-sharing-software/

https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html

https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw

https://www.darkreading.com/vulnerabilities-threats/sitecore-zero-day-viewstate-threats

https://www.helpnetsecurity.com/2025/06/02/attackers-breached-connectwise-compromised-customer-screenconnect-instances/

https://securityaffairs.com/176552/hacking/gladinet-flaw-cve-2025-30406-actively-exploited-in-the-wild.html

https://www.securityweek.com/huntress-documents-in-the-wild-exploitation-of-critical-gladinet-vulnerabilities/

https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild

https://thehackernews.com/2025/04/gladinets-triofox-and-centrestack-under.html

https://www.darkreading.com/vulnerabilities-threats/zero-day-centrestack-platform-under-attack

https://www.securityweek.com/cisa-urges-urgent-patching-for-exploited-centrestack-windows-zero-days/

https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/

https://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html

https://www.cisa.gov/news-events/alerts/2025/04/08/cisa-adds-two-known-exploited-vulnerabilities-catalog

https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-exploited-zero-day-in-file-sharing-software/

https://securityaffairs.com/183259/hacking/cve-2025-11371-unpatched-zero-day-in-gladinet-centrestack-triofox-under-attack.html

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30406

https://www.centrestack.com/p/gce_latest_release.html

https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf

Details

Source: Mitre, NVD

Published: 2025-04-03

Updated: 2025-10-21

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.8439