Full Report
A critical vulnerability in the widely used Gladinet CentreStack and Triofox enterprise file sharing and remote access platforms has surfaced — and it’s already under active exploitation. At least seven organizations have reportedly been compromised through this flaw, tracked as CVE-2025-30406. The root cause? A hard-coded cryptographic key that leaves internet-facing servers dangerously exposed to […] The post CVE-2025-30406 Detection: Critical RCE Vulnerability in Gladinet CentreStack & Triofox Under Active Exploitation appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Critical RCE via ViewState Deserialization in Gladinet CentreStack & Triofox
## CVE Details
- CVE ID: CVE-2025-30406
- CVSS Score: 9.0 (Critical) (Inferred based on RCE/Active Exploitation context, specific score missing)
- CWE: Flawed Cryptographic Key Management (Implied)
## Affected Systems
- Products: Gladinet CentreStack, Triofox
- Versions: Specific vulnerable versions are not explicitly listed, but implied to be prior to the patch releases.
- Configurations: Relies on flawed cryptographic key management in IIS web applications leveraging ASP.NET ViewState data.
## Vulnerability Description
The vulnerability stems from flawed cryptographic key management within Gladinet's web applications. Specifically, the software uses hardcoded or insufficiently secured `machineKey` values in the IIS `web.config` file, which are intended to secure ASP.NET ViewState data. An attacker who gains access to or can guess these keys can forge malicious ViewState payloads. This bypasses integrity checks and, under certain configurations, leads to deserialization attacks, ultimately resulting in Remote Code Execution (RCE) on the affected server.
## Exploitation
- Status: Active Exploitation
- Complexity: Not explicitly detailed, but RCE often implies **Medium** to **High**.
- Attack Vector: Likely **Network** (due to web application context).
## Impact
- Confidentiality: High (Likely allows access to system information or data)
- Integrity: High (Allows arbitrary code execution, leading to full system compromise)
- Availability: High (Can lead to system downtime or complete takeover)
## Remediation
### Patches
- Users are strongly advised to update their Gladinet CentreStack and Triofox installations to the latest available versions as guided by the vendor advisory.
### Workarounds
- No specific technical workarounds are listed in the provided text, but adhering strictly to the vendor's official advisory is recommended.
## Detection
- **Indicators of Compromise (IoCs):** Not explicitly listed, but should focus on requests containing manipulated/forged ASP.NET ViewState data or subsequent malicious activity following a successful RCE.
- **Detection methods and tools:** Organizations are encouraged to use platforms like the SOC Prime Platform for timely identification of exploitation attempts. Custom detection rules targeting abnormal HTTP requests with suspicious ViewState parameters should be developed.
## References
- Vendor Advisory: gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2025-triofox.pdf