CVE-2025-30406

Name of the Vulnerable Software and Affected Versions Gladinet CentreStack versions prior to 16.4.10315.56368 Gladinet Triofox versions prior to 16.4.10317.56372

Description Gladinet CentreStack and Triofox are affected by a deserialization vulnerability due to the use of a hardcoded machineKey in the portal configuration. This allows threat actors who know the machineKey to serialize a payload for server-side deserialization, achieving remote code execution (RCE). The vulnerability has been actively exploited in the wild since March 2025, with reports of exploitation against seven organizations and 120 endpoints. Exploitation techniques observed include PowerShell and MeshRemote, with post-exploitation activities such as enumeration of the host and Active Directory environment, reading configuration files, and downloading/executing malicious payloads in memory. The vulnerability is tracked as CVE-2025-30406 and has a CVSS score of 9.0 to 9.8. In some cases, even systems that appeared to be patched were still vulnerable due to the patch failing to rotate the machineKey.

Recommendations Gladinet CentreStack versions prior to 16.4.10315.56368: Update to version 16.4.10315.56368 or later. Alternatively, manually delete the machineKey defined in portalweb.config. Gladinet Triofox versions prior to 16.4.10317.56372: Update to version 16.4.10317.56372 or later. If patching is not immediately available, manually rotate the machineKey in both rootweb.config and portalweb.config, ensuring consistency across multi-server deployments and restarting IIS after making changes.