On April 8, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a significant security vulnerability in Gladinet CentreStack to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation occurring in the digital landscape. This critical flaw is identified as CVE-2025-30406 and carries a CVSS score of 9.0, underscoring its severity and potential for remote code execution.
The vulnerability emerges from the incorporation of a hard-coded cryptographic key, which is susceptible to exploitation. Upon gaining access to this key, an attacker could manipulate the application’s ViewState integrity verification to forge payloads, facilitating unauthorized remote execution of code. CISA emphasized that this could be exploited to launch server-side deserialization attacks, further compounding the risk to affected systems.
This flaw was remedied in the release of version 16.4.10315.56368 of Gladinet CentreStack, which became available on April 3, 2025. CISA’s advisory specified that the vulnerability’s implications are particularly concerning, as they involve the hard-coded “machineKey” parameter in the IIS web.config file, effectively allowing attackers with knowledge of this key to craft malicious payloads that could trigger remote code execution.
While specifics surrounding the method of exploitation remain undisclosed, reports indicate that the vulnerability was actively exploited as early as March 2025, categorizing it as a zero-day threat. Gladinet has acknowledged the existence of exploitation in the wild and has urged its users to apply security updates at their earliest convenience. In cases where immediate patch installation is not feasible, it is recommended to rotate the machineKey value as a temporary measure to mitigate risks.
At this juncture, the identity of the adversaries conducting these attacks and the specific targets remains unclear. However, organizations utilizing the Gladinet CentreStack platform should remain vigilant, as this vulnerability potentially affects multiple sectors across various industries.
In analyzing the attack through the lens of the MITRE ATT&CK framework, the tactics involved may include initial access via exploitation of known vulnerabilities, followed by persistence through the deployment of crafted payloads. Such techniques could allow adversaries to escalate privileges and establish deeper footholds within compromised systems, ultimately leading to further exploitation opportunities.
