Description

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: the CentreStack admin can manually delete the machineKey defined in portal\web.config.

According to Huntress:
"It is very important to note that this weakness also affects Gladinet Triofox, up to version 16.4.10317.56372. By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution." See references.

Known Exploited

🚨 Marked as known exploited on April 8th, 2025 (3 months ago).

Classification

CVE ID: CVE-2025-30406

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: n/a

Product: n/a

Nuclei Template

http/cves/2025/CVE-2025-30406.yaml

Exploit Prediction Scoring System (EPSS)

EPSS Score: 65.56% (probability of being exploited)

EPSS Percentile: 98.38% (scored less or equal to compared to others)

EPSS Date: 2025-05-02 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30406
https://www.centrestack.com/p/gce_latest_release.html
https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild

Timeline