Critical Remote Vulnerability in Gladinet CentreStack and Triofox Actively Exploited
In March 2025, a critical vulnerability identified as CVE-2025-30406 was discovered in Gladinet CentreStack and Triofox platforms. This flaw, stemming from the use of hardcoded cryptographic keys in the web.config files, allows attackers to perform remote code execution (RCE) by exploiting ASP.NET ViewState deserialization. The vulnerability affects CentreStack versions up to 16.1.10296.56315 and Triofox versions up to 16.4.10317.56372. Gladinet addressed this issue in CentreStack version 16.4.10315.56368 and Triofox version 16.4.10317.56372 by removing the hardcoded keys and implementing unique machineKey generation during installation.
Technical Description
CVE-2025-30406 is a serious vulnerability that exists within Gladinet’s CentreStack and Triofox platforms popular solutions used by businesses and managed service providers (MSPs) for secure remote file access and cloud enablement. The root of this flaw lies in how the applications handle cryptographic settings in their configuration files, specifically through the use of hardcoded machineKey values within the web.config files. These keys are a vital component of ASP.NET’s security infrastructure, responsible for encrypting and validating ViewState data and other sensitive elements in web sessions.
The issue here is that the same cryptographic keys were used across multiple installations, effectively giving attackers a master key. Once an attacker becomes aware of these hardcoded values either through reverse engineering the software or from leaked configuration files they can exploit them to create malicious ViewState payloads. Normally, ASP.NET checks whether incoming ViewState data has been tampered with using the machineKey. But if that key is known to the attacker, these checks can be bypassed.
This opens the door to ViewState deserialization attacks a well-known class of exploits where attackers craft malicious serialized objects that, once deserialized by the server, execute arbitrary code. Since the vulnerability does not require any authentication to trigger, an attacker can simply send the malicious payload to a public-facing instance of CentreStack or Triofox, potentially gaining remote code execution (RCE) on the host server.
What makes this especially dangerous is the attack’s stealth. It doesn’t rely on traditional vectors like file uploads or user interaction. Instead, it leverages built-in features of the ASP.NET framework, which are typically trusted by system administrators. Additionally, these attacks can often evade standard antivirus and endpoint protection tools because they execute through the web server process (usually w3wp.exe for IIS), which is considered a normal part of application behavior.
Security researchers who discovered the flaw were able to confirm that this vulnerability was being actively exploited in the wild meaning attackers are not just aware of it but are actively using it against vulnerable systems. This prompted a swift and urgent advisory from Gladinet, recommending immediate updates to CentreStack version 16.4.10315.56368 and Triofox version 16.4.10317.56372, where the hardcoded keys have been removed. These updated versions now dynamically generate unique machineKeys during the installation process, ensuring each instance has a distinct cryptographic configuration.
For organizations that cannot immediately update, a temporary mitigation involves manually editing the web.config files to replace the hardcoded keys with securely generated ones. However, this should only be seen as a stopgap solution full patching is the only reliable way to close this security gap.
Impact
The exploitation of CVE-2025-30406 has significant implications, especially for organizations relying on CentreStack and Triofox for file sharing and remote access. Successful exploitation can lead to unauthorized access, data exfiltration, and full system compromise. Given the platforms’ widespread use among managed service providers (MSPs), the vulnerability poses a substantial risk across various industries
Gladinet CentreStack
- All versions up to and including 16.1.10296.56315
- Vulnerable due to the presence of hardcoded machineKey values in the web.config files
Triofox
- All versions up to and including 16.4.10317.56372
- Same vulnerability present due to shared codebase and configuration structure
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Initial Access, Execution |
| Technique Name | Exploit Public-Facing Application |
| Sub Technique Name | Deserialization of Untrusted Data |
| Attack Type | Remote Code Execution |
| Targeted Applications | Gladinet CentreStack, Triofox |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | Presence of hardcoded machineKey in web.config files |
| CVE | CVE-2025-30406 |
Recommended Actions
- Immediate Patching: Upgrade CentreStack to version 16.4.10315.56368 and Triofox to version 16.4.10317.56372 to address the vulnerability.
- Manual Mitigation: If immediate patching is not feasible, manually remove or replace the hardcoded machineKey entries in both root and portal web.config files with securely generated keys.
- System Monitoring: Implement monitoring for unusual activities, such as unexpected PowerShell executions or outbound connections from IIS worker processes, which may indicate exploitation attempts.
- Review Access Logs: Analyze server logs for signs of unauthorized access or anomalies that could suggest compromise.