Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-30406
CVE-2025-30406:
Gladinet CentreStack vulnerability analysis and mitigation
Overview
CVE-2025-30406 is a critical deserialization vulnerability in Gladinet CentreStack through version 16.1.10296.56315 (fixed in 16.4.10315.56368) and Triofox up to version 16.4.10317.56372. The vulnerability stems from the CentreStack portal's hardcoded machineKey use, which was discovered being exploited in the wild in March 2025. The vulnerability affects the web portal component of both CentreStack and Triofox installations (Huntress Blog, NVD).
Technical details
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST and 9.0 (CRITICAL) from MITRE. The vulnerability exists in the ASPX application's web.config file, typically located at 'C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config' and 'C:\Program Files (x86)\Gladinet Cloud Enterprise\portal\web.config'. The hardcoded keys enable attackers to abuse the ASPX ViewState mechanism for server-side deserialization, leading to remote code execution. Both configuration files must be properly secured to mitigate the vulnerability (Huntress Blog).
Impact
Successful exploitation leads to remote code execution as the IISAPPPOOL\portaluser, which can be escalated to NT AUTHORITY\SYSTEM privileges, resulting in full system compromise. According to Shodan scans, hundreds of vulnerable servers are exposed to the public internet. The vulnerability requires no prerequisites other than knowledge of the default key values (Huntress Blog).
Mitigation and workarounds
Organizations should upgrade CentreStack to version 16.4.10315.56368 or later, and Triofox to version 16.4.10317.56372 or later. If immediate patching is not possible, administrators can manually delete or change the machineKey values in the web.config files. Both the root and portal web.config files must be updated to ensure complete protection. Gladinet has provided official security advisories with detailed remediation guidance for both products (NVD, Huntress Blog).
Community reactions
CISA has added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog on April 8, 2025, requiring federal agencies to apply patches by April 29, 2025. The cybersecurity community has responded quickly, with researchers from Huntress developing detection tools and providing detailed technical analysis of the exploitation (CISA Alert).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management