Dive Brief:
-
Huntress on Monday published research that showed exploitation of CVE-2025-30406, a deserialization vulnerability in Gladinet's CentreStack enterprise file-sharing platform for managed service providers (MSPs). The cybersecurity vendor said seven organizations were compromised via the zero-day flaw, which involves a hardcoded cryptographic key that can be used to gain remote code execution.
-
Huntress warned that Gladinet's Triofox product also relies on a hardcoded key and is vulnerable to CVE-2025-30406. Triofox is an on-premises file-sharing server designed for larger enterprises, according to Gladinet.
-
CISA added CVE-2025-30406 to its known exploited vulnerabilities catalog on April 9. Gladinet first disclosed the flaw on April 3 and warned that exploitation had already been observed in the wild.
Dive Insight:
CVE-2025-30406 is a critical flaw that stems from CentreStack's default use of a hardcoded key in its configuration files. According to Huntress, the key can be used in "a very standard and well-researched attack technique," which could give attackers full control of the CentreStack instance and any customer data contained within.
Both the National Vulnerability Database (NVD) and CVE.org say the vulnerability was exploited in the wild in March. John Hammond, principal security researcher at Huntress, said in the research post that the cybersecurity vendor discovered 120 endpoints running CentreStack among its customers, with seven unique organizations compromised through vulnerable instances.
Hammond also warned that CVE-2025-30406 affects more than CentreStack. "It is very important to note that this weakness also affects Gladinet Triofox, up to version 16.4.10317.56372," he wrote. "By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution."
Triofox is not mentioned in the NVD or CVE.org entries for CVE-2025-30406. Similarly, Gladinet's initial advisory for CVE-2025-30406 does not mention Triofox, though the vendor issued a separate advisory that contained mitigation guidance for the product.
"If a Gladinet CentreStack or Triofox server is exposed to the Internet with these hardcoded keys, it is in immediate danger and needs to be patched or have the machineKey values changed as soon as possible," Hammond wrote.
In an email, Hammond told Cybersecurity Dive that Huntress has not observed any exploitation against Triofox instances. However, he noted the exploitation activity against CentreStack instances is significant.
“Based on our telemetry, the observed exploitation activity is not likely to be driven by a single actor or group, nor does it appear to be specifically targeting managed service providers (MSPs). Instead, the behavior suggests attacks of opportunity,” he said.
Additionally, Huntress observed threat actors deploying MeshCentral, an open source remote management tool, and moving laterally through victim environments. The blog post includes IP addresses and other indicators of compromise connected to these attacks.
In its advisories, Gladinet recommended that customers upgrade to CentreStack version 16.4.10315.56368, which automatically generates a unique key for each installation. Gladinet urged customers that are unable to patch to manually rotate the keys as a temporary mitigation.
Editor’s Note: This story has been updated with comments from Huntress.
