Gladinet Flaw CVE-2025-30406 Actively Exploited in the Wild
A critical vulnerability in Gladinet's CentreStack and Triofox software has been actively exploited in the wild, affecting seven organizations and 120 endpoints, according to a report by Huntress. The vulnerability, tracked as CVE-2025-30406, is rated at 9.0 on the Common Vulnerability Scoring System (CVSS) scale, making it a severe issue.
The flaw is due to hardcoded machineKey values in the CentreStack portal's web.config file, which is used to secure ASP.NET ViewState data. If an attacker obtains or predicts the machineKey value, they can forge ViewState payloads that pass integrity checks, potentially leading to remote code execution (RCE) on the web server.
Threat actors have been exploiting this vulnerability since March, according to Huntress. The company detected suspicious activity linked to Gladinet CentreStack in April 2025, which was later confirmed to be related to CVE-2025-30406.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in April 2025. Huntress is urging partners to patch the vulnerability, which has been addressed in version 16.4.10315.56368 released on April 3, 2025.
According to Huntress, at least seven organizations were compromised by exploiting this zero-day. The researchers pointed out that a few hundred vulnerable servers exposed to the Internet are at risk. If left unpatched, this allows remote code execution and full server compromise.
The Attack Vector
"This weakness can be leveraged to abuse the ASPX ViewState, a mechanism used to preserve the state of a web page and its controls between multiple HTTP requests," reads the report published by Huntress. "The hardcoded keys open the door for a very standard and well-researched attack technique with ViewState deserialization."
Threat actors have been using this vulnerability to exploit Gladinet CentreStack and Triofox servers, allowing them to execute remote code execution as IISAPPPOOL\portaluser, with easy privilege escalation to SYSTEM.
The Proof-of-Concept
Huntress demonstrated the risk of this vulnerability by creating a working proof-of-concept exploit targeting Triofox web.config files. The company warned that they will update their blog to include the technical details of recreating the attack script once an external exploit is shared publicly.
The Aftermath
In one attack, Huntress spotted an encoded PowerShell command used to download and run a DLL. The researchers noticed that this technique was also seen in recent CrushFTP vulnerability exploits.
On the second host, attackers executed Impacket commands, MeshAgent, and Centre.exe. Huntress found approximately 120 endpoints running vulnerable Gladinet CentreStack software and is urging partners to patch CVE-2025-30406.
The Mitigation
"We strongly recommend updating to the patched version, which improves key management and mitigates exposure," advises Huntress. "For customers who cannot update immediately, rotating the machineKey values is a recommended interim mitigation."
Gradient has also addressed the flaw and confirmed that it is actively exploited.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
This article has been rewritten to provide a detailed and engaging overview of the Gladinet flaw CVE-2025-30406 and its active exploitation in the wild.