RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406)

A critical RCE vulnerability (CVE-2025-30406) affecting the Gladinet CentreStack file-sharing/remote access platform has been added to CISA’s Known Exploited Vulnerabilities catalog on Tuesday.

According to the vulnerability’s entry in NIST’s National Vulnerability Database, the flaw has been leveraged in attacks since March 2025.

About CVE-2025-30406

CentreStack is a platform that allows managed service providers (MSPs) to offer cloud-like file services to their customers: file sharing, backup, collaboration, and remote access.

CVE-2025-30406 is a deserialization vulnerability caused by the CentreStack portal’s hardcoded machineKey use.

“The application uses a hardcoded or improperly protected machineKey in the IIS
web.config file, which is responsible for securing ASP.NET ViewState data,” Gladinet explained in an advisory published last week.

“If an attacker obtains or predicts the machineKey, they can forge ViewState payloads that pass integrity checks. In some scenarios, this can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server.”

What to do?

The vulnerability affects CentreStack versions up to and including v16.1.10296.56315, and has been fixed in version 16.4.10315.56368, released on April 3, 2025. This latest version automatically generates and applies a new, unique machine key during installation to enhance system security.

Customers who cannot update their installations immediately are advised to manually generate and apply a new machineKey.

But CVE-2025-30406 also affects Triofox, Gladinet’s enterprise-focused, single-tenant file sharing and remote access platform. And, according to the company’s security advisory related to the vulnerability in solution, “exploitation has been observed in the wild” – though CISA does not mention that in the KEV catalog.

Gladinet has released a security update (v16.4.10317.56372) for Triofox, as well, and the mitigation advice is the same as for CentreStack deployments: rotate the machineKey.

Vulnerabilities (often zero-days) in enterprise-grade file transfer/sharing solutions are often exploited by attackers: flaws in Progress Software’s MOVEit solution, Cleo‘s various file transfer software, Fortra’s GoAnywhere and, most recently, CrushFTP have been leveraged by attackers in the past two years.

We’ve reached out to Gladinet for more details about the attacks, but have yet to hear back from them. We’ll update this article when we know more.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!