Summary

A critical security vulnerability, CVE-2025-30406, has been identified in Gladinet CentreStack and Triofox, with aCVSS score of 9.0. This vulnerability involves the use of hard-coded cryptographic keys, which can be exploited to achieve remote code execution. It is believed to have been exploitedas a zero-day in March 2025.

Affected Systems and/or Applications

• Gladinet Triofox (remote access solution): versions up to version 16.4.10317.56372
• Gladinet CentreStack: versions up to 16.4.10315.56368

Technical Details / Attack Overview

Hard-coded Cryptographic Keys:

• The vulnerability arises from the use of a hard-coded machineKey in the web.config files. This key is crucialfor ViewState integrity verification in ASP.NET applications.
• The machineKey is used to encrypt and validate the ViewState, a mechanism that maintains the state of webpages across postbacks.

ViewState Deserialization Attack:

• Attackers who know the machineKey can craft malicious ViewState payloads.
• These payloads, when deserialized by the server, can execute arbitrary code.
• This is a well-known attack vector in ASP.NET applications when the ViewState is not properly secured.

Configuration File Paths:

• The vulnerable `web.config` files are typically located at:
  • `C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config`
  • `C:\Program Files (x86)\Gladinet Cloud Enterprise\portal\web.config`
• For Triofox, similar paths are used:
  • `C:\Program Files (x86)\Triofox\root\web.config`
  • `C:\Program Files (x86)\Triofox\portal\web.config`

The flaw has been exploited in the wild since March 2025, with attackers leveraging it to download and side load aDLL using an encoded PowerShell script. This method is similar to recent attacks exploiting the CrushFTP flaw. Attackers have been observed conducting lateral movement and installing MeshCentral for remote access, using Impacket PowerShell commands for enumeration and installingMeshAgent.

Mitigation

• Patching: Upgrade to the latest versions of CentreStack (16.4.10315.56368) and Triofox (16.4.10317.56372).
• Configuration Changes: If patching is not immediately possible, change the machineKey values in allweb.config files: https://support.triofox.com/hc/en-us/articles/4405656685335-Hardening-the-Triofox-Cluster#h_01JQXYCN9GWPB4EMDM5CEDDYS0
• Monitoring: Implement continuous monitoring for unusual activity, especially related to PowerShellexecution and network connections to suspicious IPs. Look for ViewState errors in Windows ApplicationEvent Logs (Event ID 1316) and suspicious outbound connections from IIS Worker Processes.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if vulnerable device version are found within the scope of thescans as soon as a relevant plugin is made available by the scan provider.

References

• https://www.cve.org/CVERecord?id=CVE-2025-30406
• https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2025-triofox.pdf
  https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
• https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild