CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild

April 15, 2025, 11:49 a.m.

Description

A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions include CentreStack below 16.4.10315.56368 and Triofox below 16.4.10317.56372. Exploitation leads to immediate compromise with potential for privilege escalation. Mitigation involves patching or changing machineKey values. Post-exploitation activities include downloading malicious DLLs, lateral movement, and installation of remote access tools like MeshCentral. Immediate action is recommended for vulnerable servers exposed to the internet.

External References

https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild
https://otx.alienvault.com/pulse/67fdd4feb026431e9cb4c477
Tags
cobalt strike
privilege escalation
remote code execution
meshcentral
CVE-2025-30406
2025-04-15
gladinet
hardcoded keys
aspx viewstate
centrestack
triofox

Date

  • Created: April 15, 2025, 3:39 a.m.
  • Published: April 15, 2025, 3:39 a.m.
  • Modified: April 15, 2025, 11:49 a.m.

Indicators

  • 48b006cb17e75ecdb707dc40dd654f449b94abe49f97a808b35cabca1c5fabbf
  • 30981d4082b58704d12a376c3cbb12fecb8a36c2bce64666315e26aef21e75c2
  • 2.58.56.16
  • 165.227.7.206
  • 45.84.107.76
  • rtb.mftadsrvr.com
Download all indicators here!

Attack Patterns

  • Cobalt Strike - S0154

Linked vulnerabilities

CVE-2025-30406

None
    Gladinet
  • Centrestack
Published: April 3, 2025