CVE-2025-30406

Gladinet CentreStack versions through 16.1.10296.56315 Gladinet Triofox versions prior to 16.4.10317.56372

Gladinet CentreStack and Triofox are affected by a deserialization vulnerability due to the use of a hardcoded machineKey in the CentreStack portal. This allows threat actors who know the machineKey to serialize a payload for server-side deserialization, achieving remote code execution. The vulnerability has been actively exploited in the wild since March 2025, with reports of exploitation against seven organizations and 120 endpoints. Exploitation techniques observed include PowerShell commands, DLL sideloading, and enumeration of the targeted host and Active Directory environment.

Gladinet CentreStack versions prior to 16.4.10315.56368: Apply the latest updates to ensure the vulnerability is patched and verify the machineKey was rotated. Gladinet Triofox versions prior to 16.4.10317.56372: Update to the latest version. If patching is not immediately available, manually rotate the machineKey defined in

portalweb.config

. Audit logs for indications of access, including logs for access to

/portal/script

endpoints. Limit external access to CentreStack interfaces wherever possible. Actively monitor for suspicious deserialization activities.