Huntress issued an alert following the discovery of active exploitation of newly disclosed zero-day vulnerability (CVE-2025-30406) in Gladinet’s CentreStack and Triofox platforms. The vulnerability, marked as critical (CVSS 9.0), allows unauthenticated remote code execution through cryptographic keys present in configuration files.

Gladinet CentreStack and Triofox Exploited in the Wild

The first known exploit attempt occurred on April 11 at 16:59 UTC and involved PowerShell commands reaching out to external URLs for payload delivery. Shodan scan reval several hundred vulnerable CentreStack and Triofox servers are publicly exposed to the internet. While the number may appear low, the risk of immediate compromise is high due to the trivial nature of the exploit.

The affected versions include:

    • CentreStack: All versions below 16.4.10315.56368
    • Triofox: All versions below 16.4.10317.56372

Threat actors have used IP addresses such as 104.21.16[.]1 and 104.21.48[.]1 for command-and-control communications.
According to Huntress, seven organizations have already been impacted, with around 120 endpoints observed running vulnerable CentreStack installations.

CVE-2025-30406

CVE-2025-30406 uses hardcoded cryptographic keys in the web.config files of CentreStack and Triofox applications. These keys can be exploited via popular attack technique—ViewState deserialization—in ASP.NET applications.

The presence of identical keys across various installations makes emote code execution possible without any user interaction. Exploitation results in code execution under the IISAPPPOOL\portaluser identity, which attackers can escalate to full system compromise.

Affected file paths include:
C:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config
C:\Program Files (x86)\Gladinet Cloud Enterprise\portal\web.config

Note:Identical paths exist for Triofox installations.

Post-exploitation behavior includes

      • Use of encoded PowerShell to sideload malicious DLLs.
      • Execution of renamed binaries such as Centre.exe (a repurposed “Wallpaper Engine Launcher”).
      • Attempts to install MeshCentral remote access tooling.
      • Lateral movement via Impacket-style PowerShell enumeration and user creation.

Final Thoughts

The swift exploitation of CVE-2025-30406 highlights both the critical nature of default cryptographic configurations and the increasing speed at which threat actors capitalize on emerging vulnerabilities. Huntress provides two powershell scripts to mitigate CVE-2025-30406. In cases where patching is not immediately possible, manually updating or removing the machineKey entries in the web.config files is strongly advised.