The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently identified a critical security flaw in Gladinet’s CentreStack software, adding it to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. This vulnerability, designated as CVE-2025-30406 with a CVSS score of 9.0, involves a hard-coded cryptographic key that attackers can exploit to achieve remote code execution. Gladinet has addressed this issue in version 16.4.10315.56368, released on April 3, 2025.
CISA’s advisory highlights that CentreStack’s use of a hard-coded machineKey in the IIS web.config file allows attackers to forge ViewState payloads, leading to server-side deserialization and potential remote code execution. This flaw enables threat actors with knowledge of the machineKey to serialize malicious payloads, which, when deserialized by the server, can execute arbitrary code.
While specific details about the exploitation methods, identities of the threat actors, and targeted entities remain undisclosed, the CVE.org description indicates that CVE-2025-30406 was exploited in the wild in March 2025, suggesting its use as a zero-day vulnerability.
Gladinet has acknowledged the active exploitation of this vulnerability and urges customers to apply the latest patches promptly. For those unable to update immediately, rotating the machineKey value is recommended as a temporary mitigation measure.
