Gladinet’s Triofox and CentreStack Exploited Through a Critical RCE Vulnerability
A critical security vulnerability affecting Gladinet’s CentreStack has also been found to compromise its Triofox remote access and collaboration solution, as revealed by Huntress. To date, seven distinct organizations have reported breaches linked to this issue. The vulnerability, designated as CVE-2025-30406, carries a CVSS score of 9.0, highlighting its severity. It involves the use of a hard-coded cryptographic key, which poses a significant risk by exposing internet-accessible servers to possible remote code execution (RCE) attacks.
On April 3, 2025, Gladinet released an update addressing the vulnerability in CentreStack version 16.4.10315.56368. The flaw was reportedly exploited as a zero-day in March 2025, although specific details regarding the attack strategies remain elusive. Huntress has now confirmed that this weakness also extends to Gladinet Triofox, affecting versions up to 16.4.10317.56372. According to John Hammond, a principal cybersecurity researcher at Huntress, previous iterations of the Triofox software contain the same hard-coded cryptographic keys within their configuration files, making them susceptible to similar exploitation.
The compromised organizations represent a range of sectors, and while the specific countries involved have not been disclosed, the issue primarily impacts users with internet-facing installations of these products. This incident raises critical concerns regarding supply chain security and the potential for operational disruption, especially in environments that rely heavily on remote collaboration tools.
In terms of adversary tactics, the initial access to these systems likely involved exploitation of the hard-coded cryptographic keys, enabling unauthorized parties to execute commands remotely. This approach resonates with techniques outlined in the MITRE ATT&CK framework, particularly in the realms of privilege escalation and persistence. Given the nature of the vulnerability, attackers could have established ongoing access to the systems undetected.
The presence of such a vulnerability emphasizes the need for organizations to regularly update critical software and assess their cybersecurity resilience, especially in light of evolving threats. System administrators and business owners must remain vigilant, implementing robust security protocols to mitigate risks stemming from potential exploitation of known vulnerabilities.
In conclusion, as the cybersecurity landscape continuously evolves, the exploitation of critical weaknesses like CVE-2025-30406 serves as a stark reminder of the importance of proactive defenses. Organizations must prioritize updates and maintain comprehensive awareness of the security posture of the technologies they employ.
