Gladinet CentreStack and Gladinet Triofox - Critical RCE (CVE-2025-30406) - #CVE-2025-30406
A critical remote code execution vulnerability, CVE-2025-30406, with a CVSS score of 9.0, has been discovered in Gladinet CentreStack and Triofox platforms. The flaw, stemming from hard-coded cryptographic keys in web.config files, allows attackers to create malicious ViewState payloads and execute arbitrary code. Active exploitation began in March 2025, with at least seven organizations compromised. Attackers have been observed using encoded PowerShell scripts to download malicious DLLs, perform lateral movement, and install remote access tools like MeshCentral. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal and state entities to address it by April 29, 2025. Gladinet has released patches, and users are strongly advised to update to the latest versions or implement recommended mitigations, including rotating machineKey values and monitoring for unusual activity.