Hackers Capitalize on Untapped Vulnerability in Gladinet CentreStack File-Sharing System
A critical vulnerability, CVE-2025-30406, has been identified in Gladinet's CentreStack and Triofox products, according to cybersecurity firm Huntress. This vulnerability, which allows for remote code execution using a hardcoded cryptographic key, has been exploited in the wild, notably in March 2025.
The behaviour of the exploitation activity does not appear to be driven by a single actor or group, nor does it seem to be specifically targeting managed service providers (MSPs). Instead, it suggests attacks of opportunity, particularly against servers exposed to the Internet with hardcoded keys.
If a Gladinet CentreStack or Triofox server is exposed to the Internet with hardcoded keys, it is in immediate danger and requires patching or a change in the machineKey value. A patch for this vulnerability was published on April 3, 2025. It is crucial for users to apply the latest available patches to their systems to prevent exploitation.
Seven organisations have been compromised via this zero-day flaw in CentreStack. Both the National Vulnerability Database (NVD) and CVE.org state that the vulnerability was exploited in the wild in March. However, Huntress has not observed any exploitation against Triofox instances.
Gladinet recommends that customers upgrade to CentreStack version 16.4.10315.56368, which automatically generates a unique key for each installation. For those unable to patch, Gladinet urges a manual rotation of the keys as a temporary mitigation.
Triofox is an on-premises file-sharing server designed for larger enterprises, according to Gladinet. The observed exploitation activity against CentreStack instances is significant.
Huntress also published research on this deserialization vulnerability in Gladinet's CentreStack enterprise file-sharing platform. The blog post includes IP addresses and other indicators of compromise connected to these attacks.
Given the severity and active exploitation of this vulnerability, immediate action is recommended to protect against potential attacks. Users should also consider implementing additional security measures such as monitoring for unusual activity and ensuring that all software components are up-to-date. The CISA has added CVE-2025-30406 to its known exploited vulnerabilities catalog on April 9. The deadline for CISA's Known Exploited Vulnerability Due Date is April 29, 2025.
Given the active exploitation of the vulnerability, CVE-2025-30406, in Gladinet's CentreStack and Triofox products, it's crucial for users to prioritize cybersecurity measures, especially data-and-cloud-computing systems, and technology. If a CentreStack or Triofox server is exposed to the Internet with hardcoded keys, it's immediately vulnerable and requires patching or a change in the machineKey value. Additionally, users should implement robust security measures such as monitoring for unusual activity and ensuring that all software components are up-to-date to minimize potential attacks.
