A critical remote code execution (RCE) vulnerability in Gladinet CentreStack, tracked as CVE-2025-30406, is under active exploitation in the wild, posing a significant threat to organizations using the platform. The flaw, which has been assigned a CVSS score of 9.8, was added to the Known Exploited Vulnerabilities (KEV) catalog on April 8, 2025, just five days after its disclosure, highlighting the urgency for affected users to apply patches.
The vulnerability stems from a deserialization issue in the CentreStack portal, specifically due to the use of a hardcoded machineKey. This flaw allows attackers who have knowledge of the machineKey to serialize a malicious payload that can be executed server-side, effectively compromising the system. The vulnerability affects versions of Gladinet CentreStack up to 16.1.10296.56315, with a fix available in version 16.4.10315.56368.
Exploitation of this vulnerability has been confirmed in the wild since March 2025, with threat actors leveraging the flaw to gain unauthorized access and execute arbitrary code on vulnerable systems. The high Exploit Prediction Scoring System (EPSS) score of 0.834 further underscores the likelihood of exploitation, making it imperative for organizations to prioritize remediation efforts.
Two exploits and two proof-of-concept (PoC) codes for CVE-2025-30406 are currently available, increasing the risk of widespread exploitation. The Security Severity Vulnerability Classification (SSVC) for this flaw is marked as "act," indicating that immediate action is required to mitigate potential impacts.
Gladinet CentreStack is widely used by managed service providers (MSPs) for file sharing and collaboration, making it a lucrative target for attackers seeking to exploit vulnerabilities for data theft or disruption. The platform's popularity in enterprise environments amplifies the potential impact of successful exploitation, as attackers could leverage access to sensitive data and critical infrastructure.
Organizations using Gladinet CentreStack should urgently update to the patched version to protect against this critical vulnerability. In addition to applying the patch, security teams should monitor for any signs of compromise, such as unusual network activity or unauthorized access attempts, which could indicate exploitation attempts.
Given the rapid exploitation timeline and the availability of exploit tools, defenders are advised to review their security posture and ensure that all systems are updated promptly. The inclusion of CVE-2025-30406 in the KEV catalog by CISA serves as a reminder of the critical nature of this vulnerability and the need for swift action to safeguard organizational assets.
CSURFACE