CVE-2025-30406 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-03

Added to CISA KEV: 2025-04-08 5 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update to CentreStack version 16.4.10315.56368 or later
As emergency mitigation, manually delete the hardcoded machineKey from portal\web.config as noted in the advisory
Monitor CentreStack portal access logs for suspicious deserialization attempts or unauthorized access patterns
Implement network segmentation to limit CentreStack exposure if possible
PATCH PRIORITY: CRITICAL - Apply immediately due to active exploitation and RCE impact

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-30406 is a critical (CVSS 9.0) deserialization vulnerability affecting Gladinet CentreStack and Triofox, which was actively exploited in the wild beginning in March 2025 ^[1] ^[2].

Vulnerability Overview and Impact

Root Cause: The vulnerability stems from the use of hardcoded `machineKey` values within the CentreStack portal's configuration files (specifically `web.config`) ^[1] ^[2].
Impact: Successful exploitation allows an attacker to perform server-side deserialization, leading to Remote Code Execution (RCE) ^[2] ^[4].
Privilege Level: Initial execution occurs as `IISAPPPOOL\portaluser`, but attackers can easily escalate privileges to `NT AUTHORITY\SYSTEM`, resulting in a full compromise of the target server ^[1].

Exploitation Details

Method: Attackers who possess the hardcoded `machineKey` can serialize a malicious payload and send it to the application for server-side deserialization ^[2] ^[5].
Requirements: There are no significant prerequisites for exploitation other than knowledge of the default key values and network access to the vulnerable web portal ^[1]. No specific user interaction is required ^[1].
Exploit Availability: Proof-of-concept (PoC) exploit code has been made available publicly on platforms such as GitHub ^[3] ^[6].

Affected Versions and Mitigation

Affected Versions: Gladinet CentreStack and Triofox versions up to and including 16.1.10296.56315 ^[2].
Patch Status: The vulnerability was addressed in version 16.4.10315.56368 ^[2]. Organizations using affected versions are strongly advised to update to the patched version immediately ^[4].

While the vulnerability was actively exploited in the wild shortly after its discovery in March 2025, specific attribution to ransomware groups or targeted campaigns is not explicitly detailed in the available security advisories, which focus primarily on the technical mechanism and the fact of its active exploitation ^[1] ^[7].

Sources

CVE-2025-30406: Gladinet CentreStack & Triofox Exploited | Huntress
Huntress has observed in the wild exploitation against CVE-2025-30406, a weakness due to hardcoded cryptographic keys. ... What is CVE-2025-30406? Per the NIST NVD database, this 9.0 critical severity vulnerability pertains to hardcoded keys set in by default in the CentreStack and Triofox configura…
NVD - CVE-2025-30406
An official website of the United States government Here's how you know ... A deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. ... CVE-2025-30406 Detail. Description. Gladinet CentreStack through 16.1.10296.56315 (fixed i…
W01fh4cker/CVE-2025-30406 - GitHub
Exploit for CVE-2025-30406. Contribute to W01fh4cker/CVE-2025-30406 development by creating an account on GitHub.
CVE-2025-30406 Description, Impact and Technical Details
CVE-2025-30406 is a deserialization vulnerability affecting Gladinet CentreStack versions prior to 16.4.10315.56368. Hackers can exploit this issue, which stems from the CentreStack portal's hardcoded machineKey, to perform server-side deserialization and execute arbitrary code. This vulnerability w…
CVE-2025-30406 - Vulnerability Details - OpenCVE
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side…
CVE-2025-30406 ViewState Exploit PoC - GitHub
CVE Details CVE ID: CVE-2025-30406 Description: A deserialization vulnerability in ASP.NET ViewState handling that allows remote code execution when a valid validation key and generator are known. Affected Systems: ASP.NET applications with vulnerable ViewState configurations. Prerequisites for Expl…
April 11 Advisory: Actively Exploited Deserialization Vulnerability in ...
CentreStack contains a deserialization vulnerability due to the portal's hardcoded machineKey use. Example of Exposed Gladinet CentreStack Login Portal. Field ... CVE-2025-30406 is a critical vulnerability affecting Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368). CentreSta…