CVE-2025-30406

What is Gladinet CentreStack?

Gladinet CentreStack and Triofox are enterprise private cloud file server and sync/share platforms, deployed on-premises to provide Dropbox/OneDrive-style file access capabilities without relying on public cloud storage. They are used by organizations that need to host file sharing infrastructure internally while enabling web and mobile access to employees. CentreStack and Triofox are built on ASP.NET and hosted on Windows Server / IIS. As with the Sitecore CVE-2025-53690, this vulnerability exploits the same ASP.NET machine key deserialization attack class.

Overview

CVE-2025-30406 is a critical use of hard-coded cryptographic key vulnerability (CWE-321, CVSS 9.0) in Gladinet CentreStack and Triofox. These products shipped with a hard-coded <machineKey> in their default web.config — the same key used in every default installation. Because ASP.NET uses the machine key to sign and verify ViewState payloads, an attacker who knows the key can forge malicious __VIEWSTATE payloads and submit them, triggering .NET deserialization that executes arbitrary code as the IIS application pool identity. Exploited as a zero-day; Huntress observed active exploitation. CISA added to KEV on April 8, 2025.

Affected Versions

The fix randomizes the machine key at installation time. Existing deployments must manually replace the hard-coded key with a newly generated unique key.

Technical Details

The vulnerability (CWE-321: Use of Hard-coded Cryptographic Key) is in CentreStack and Triofox's default ASP.NET web.config. These products shipped with a static, hard-coded <machineKey> element — the same key in every default installation. ASP.NET uses this key to create an HMAC signature over ViewState, preventing tampering. Because the key is publicly known (it was shipped in the product's installer), any attacker can:

1. Craft a malicious __VIEWSTATE payload containing a .NET deserialization gadget chain.
2. Sign it using the known machine key to produce a valid HMAC that ASP.NET accepts.
3. POST the payload to any CentreStack/Triofox endpoint that processes ViewState.
4. ASP.NET deserializes the payload and executes the gadget chain as the IIS application pool account.

The High Complexity (AC:H) CVSS rating reflects the requirement to know the hard-coded key — but since the key is the same across all default installations, it is effectively publicly known. The Scope:Changed (S:C) rating reflects that the IIS application pool identity typically has broad system access.

This is the same attack class as CVE-2025-53690 (Sitecore) and the broader class of "publicly known ASP.NET machine key" exploits that Microsoft warned about in 2020.

Discovery

Huntress discovered active in-the-wild exploitation and published the initial analysis.

Exploitation Context

Confirmed zero-day exploitation at time of disclosure. Huntress observed attackers exploiting the vulnerability to deploy webshells and establish persistent access on CentreStack servers. CISA added CVE-2025-30406 to the KEV catalog on 8 April 2025, with a 21-day federal remediation deadline. No named threat actor group has been publicly attributed.

Remediation

1. Apply the Gladinet patch to update CentreStack to version 16.3.10529+ or apply the Triofox fix per the vendor advisory.
2. Replace the machine key manually if upgrading is not immediately possible: in web.config, generate new unique validationKey and decryptionKey values and replace the hard-coded defaults. Apply consistently across all servers in a farm.
3. Hunt for webshells: check IIS web root directories for unexpected .aspx files or modified application files.
4. Review IIS logs for anomalous __VIEWSTATE payloads — malicious ViewState is larger than normal and may contain binary-encoded content.
5. Restrict CentreStack/Triofox web access to necessary users; avoid exposing administrative portals directly to the internet.