What is the critical vulnerability affecting Gladinet's CentreStack platform?

A critical remote code execution (RCE) vulnerability (CVE-2025-30406, CVSS score 9) affects Gladinet's CentreStack file-sharing and remote access platform. This vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog on Tuesday, April 8, 2025.

What causes the Gladinet CentreStack vulnerability?

The vulnerability stems from the use of hardcoded or improperly protected cryptographic keys in the application's configuration. Specifically, the issue involves the machineKey in the IIS web.config file, which is responsible for securing ASP.NET ViewState data.

Is the vulnerability being actively exploited?

Yes, according to NIST's National Vulnerability Database, the flaw has been actively exploited in the wild since March 2025.

Which Gladinet products and versions are affected?

Affected products are CentreStack versions up to and including v16.1.10296.56315 and the Triofox platform (no specific vulnerable versions were listed for Triofox).

What updates has Gladinet released to fix this vulnerability?

Gladinet has released patched versions for both affected products: CentreStack Version 16.4.10315.56368 (released April 3, 2025), which automatically generates a unique machineKey during installation, and Triofox Version 16.4.10317.56372.

Where can I download the patched version of CentreStack?

The web installer for the patched CentreStack version is available at: https://gladinetsupport.s3.us-east-1.amazonaws.com/GCE/zip/installEntGUI16.4.10315.56368.exe

What mitigation steps can be taken if immediate updating is not possible?

For users who cannot update immediately, a manual mitigation process is provided: 1) Back up the web.config file in the CentreStack installation folder, 2) Use IIS Manager to generate new machine keys, 3) Apply the new keys to the configuration, 4) Remove hardcoded keys from portal/web.config, 5) For multi-node deployments, ensure all nodes share the same new machineKey, and 6) Restart IIS on all affected servers.

Advisory

Critical vulnerability in Gladinet CentreStack and Triofox (CVE-2025-30406) actively exploited

Q: How can attackers exploit this vulnerability?

Attackers can obtain or predict the machineKey used for ViewState integrity verification, forge ViewState payloads that successfully pass integrity checks, and execute ViewState deserialization attacks that can lead to remote code execution on the web server.

Q: Is this vulnerability part of a larger trend?

Yes, this vulnerability follows a concerning pattern of critical flaws in enterprise-grade file transfer solutions being actively exploited by attackers. Similar incidents have affected Progress Software's MOVEit, Cleo's file transfer software, Fortra's GoAnywhere, and CrushFTP over the past two years.

published: April 9, 2025

Take action: If you are using Gladinet CentreStack or Triofox platforms patch IMMEDIATELY. If there is any reason whatsoever not to be able to patch, apply the mitigation measures to delete the hardcoded key from web.config. This can't be postponed, hackers are already attacking the platforms since March 2025.

Learn More

A critical remote code execution (RCE) vulnerability affecting Gladinet's CentreStack and Triofoxfile-sharing and remote access platform has been added to CISA's Known Exploited Vulnerabilities catalog on Tuesday, April 8, 2025.

The vulnerability is tracked as CVE-2025-30406 (CVSS score 9) stems from the use of hardcoded or improperly protected cryptographic keys in the application's configuration. The issue involves the machineKey in the IIS web.config file, which is responsible for securing ASP.NET ViewState data.

The vulnerability allows attackers to obtain or predict the machineKey used for ViewState integrity verification, forge ViewState payloads that successfully pass integrity checks and execute ViewState deserialization attacks that can lead to remote code execution on the web server

The flaw has been actively exploited in the wild since March 2025, according to NIST's National Vulnerability Database.

Affected products are CentreStack versions up to and including v16.1.10296.56315 and Triofox platform (no vulnerable versions listed)

Gladinet has released patched versions for both affected products:

CentreStack Version 16.4.10315.56368 (released April 3, 2025)
- Web installer: https://gladinetsupport.s3.us-east-1.amazonaws.com/GCE/zip/installEntGUI16.4.10315.56368.exe
- This version automatically generates a unique machineKey during installation
Triofox: Version 16.4.10317.56372
- Specific download link not provided in the original text

For users who cannot update immediately, a manual mitigation process is provided:

Back up the web.config file in the CentreStack installation folder
Use IIS Manager to generate new machine keys
Apply the new keys to the configuration
Remove hardcoded keys from portal/web.config
For multi-node deployments, ensure all nodes share the same new machineKey
Restart IIS on all affected servers

This vulnerability follows a concerning pattern of critical flaws in enterprise-grade file transfer solutions being actively exploited by attackers. Similar incidents have affected Progress Software's MOVEit, Cleo's file transfer software, Fortra's GoAnywhere, and CrushFTP over the past two years.

Critical vulnerability in Gladinet CentreStack and Triofox (CVE-2025-30406) actively exploited

Read More
BeyondTrust and CISA Warn of Active Exploitation of …
FreePBX Servers under active zero-day attack
Critical vulnerability reported in Commvault Command Center
Critical authentication bypass flaws reported in multiple Fortinet …
ConnectWise ScreenConnect patches critical code execution flaw