CVE-2025-30406 Detection: Critical RCE Vulnerability in Gladinet CentreStack & Triofox Under Active Exploitation
Table of contents:
A critical vulnerability in the widely used Gladinet CentreStack and Triofox enterprise file sharing and remote access platforms has surfaced — and it’s already under active exploitation. At least seven organizations have reportedly been compromised through this flaw, tracked as CVE-2025-30406. The root cause? A hard-coded cryptographic key that leaves internet-facing servers dangerously exposed to remote code execution attacks.
Detect Attacks Leveraging CVE-2025-30406 Vulnerability
As of April 2025, the NIST NVD has recorded over 14,500 new CVEs, with a significant number already exploited in the wild. The rapid weaponization of vulnerabilities underscores the urgent need for proactive threat detection. To effectively reduce risk, security teams must prioritize early identification and response strategies that stay ahead of evolving threats.
Register to the SOC Prime Platform and access a set of curated Sigma rules addressing CVE-2025-30406 exploitation attempts along with a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just hit the Explore Detections button below to immediately drill down to a relevant detection stack.
All the rules are compatible with 40+ SIEM, EDR, and Data Lake technologies, and mapped to MITRE ATT&CK® to streamline threat investigation. Additionally, each rule is enriched with extensive metadata, including CTI references, attack timelines, audit configurations, triage recommendations, and more.
Cyber defenders seeking more relevant content to detect cyber-attacks weaponizing trending vulnerabilities might access the whole сollection of the relevant detection algorithms by searching Threat Detection Marketplace with “CVE” tag.
CVE-2025-30406 Analysis
On April 8, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-30406 to its Known Exploited Vulnerabilities catalog, confirming ongoing exploitation in the wild. First observed as a zero-day in March 2025, the exact nature and scope of the attacks remain unclear. The vulnerability was initially discovered in Gladinet’s CentreStack software and addressed in version 16.4.10315.56368, released on April 3, 2025. However, new findings from Huntress confirm that the flaw also affects Triofox, another Gladinet product, up to version 16.4.10317.56372—significantly widening the attack surface.
At least seven organizations have already fallen prey to CVE-2025-30406, with the earliest signs of intrusion traced to April 11, 2025. Threat actors wasted no time, exploiting the vulnerability to deploy encoded PowerShell scripts that download and sideload malicious DLLs. Post-compromise activity includes lateral movement across networks and the installation of MeshCentral for persistent remote access. Investigators have also observed the use of Impacket tooling via PowerShell to carry out system enumeration and drop MeshAgent payloads. While the tactics are becoming clearer, the full extent and ultimate objectives of these campaigns remain shrouded in uncertainty.
CVE-2025-30406 carries a critical CVSS score of 9.0 and stems from flawed cryptographic key management in Gladinet’s web applications. Specifically, the software relies on hardcoded or poorly secured machineKey values in the IIS web.config, which are meant to safeguard ASP.NET ViewState data. If an attacker is able to access or guess these keys, they can craft malicious ViewState payloads that bypass integrity checks. In certain configurations, this opens the door to deserialization attacks, potentially resulting in remote code execution on the server.
Given the active exploitation and critical nature of this vulnerability, all users are strongly advised to update their Gladinet CentreStack and Triofox installations to the latest available versions. Following the vendor’s guidance outlined in the official advisory is essential to reduce exposure and strengthen defenses against potential attacks. Organizations striving to risk-optimize their cybersecurity posture can rely on the SOC Prime Platform for collective cyber defense to timely identify CVE exploitation attempts and proactively thwart cyber attacks of any scale and sophistication.
