CVE-2025-30406

Name of the Vulnerable Software and Affected Versions Gladinet CentreStack versions prior to 16.4.10315.56368 Triofox versions prior to 16.4.10317.56372

Description Gladinet CentreStack and Triofox are affected by a deserialization vulnerability stemming from the use of a hardcoded machineKey within the CentreStack portal. This allows threat actors, possessing knowledge of the machineKey, to serialize a malicious payload for server-side deserialization, ultimately achieving remote code execution. Exploitation of this issue has been observed in the wild since March 2025, with reports indicating active exploitation and compromise of organizations. Huntress reported that seven organizations and 120 endpoints have been impacted. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. Successful exploitation can lead to the enumeration of the targeted host and Active Directory environment, followed by the execution of malicious payloads in memory, including reading configuration files, enumerating domain computers and users, and downloading/executing malicious stagers. The vulnerability impacts the ASP.NET ViewState, and a proof-of-concept exploit is publicly available.

Recommendations Gladinet CentreStack versions prior to 16.4.10315.56368: Update to version 16.4.10315.56368 or later. Alternatively, manually delete the machineKey defined in the

portalweb.config

file. Triofox versions prior to 16.4.10317.56372: Update to version 16.4.10317.56372 or later. If patching is not immediately possible, manually rotate the machineKey in the

portalweb.config

file and ensure consistency across all servers in a multi-server deployment. Restart IIS after making changes. Audit logs for access attempts, including those targeting the

/portal/script

endpoints. Limit external access to CentreStack interfaces wherever feasible. Actively monitor for suspicious deserialization activity.