Full Report
A critical vulnerability in the widely used Gladinet CentreStack and Triofox enterprise file sharing and remote access platforms has surfaced — and it’s already under active exploitation. At least seven organizations have reportedly been compromised through this flaw, tracked as CVE-2025-30496. The root cause? A hard-coded cryptographic key that leaves internet-facing servers dangerously exposed to […] The post CVE-2025-30496 Detection: Critical RCE Vulnerability in Gladinet CentreStack & Triofox Under Active Exploitation appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Critical RCE in Gladinet CentreStack & Triofox due to Flawed Key Management
## CVE Details
- CVE ID: CVE-2025-30496
- CVSS Score: 9.0 (Critical)
- CWE: Not explicitly specified, but related to improper cryptographic key management (CWE-327 implied for weak keys).
## Affected Systems
- Products: Gladinet CentreStack and Triofox
- Versions: All versions preceding the vendor patch. (Specific vulnerable versions were not listed, but implied to be older versions).
- Configurations: Relates to ASP.NET ViewState data protection utilizing potentially insecure `machineKey` values in the IIS `web.config`.
## Vulnerability Description
This is a critical Remote Code Execution (RCE) vulnerability stemming from flawed cryptographic key management within Gladinet's web applications. The software utilizes hardcoded or poorly secured `machineKey` values in the IIS `web.config` file to protect ASP.NET ViewState data. An attacker who can access or successfully guess these keys can forge malicious ViewState payloads. If successful, these forged payloads can bypass integrity checks and lead to deserialization attacks, resulting in Remote Code Execution (RCE) on the vulnerable server.
## Exploitation
- Status: Under Active Exploitation
- Complexity: Implied Medium/Low (requires key access/guessing for payload crafting)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Users must update to the latest available versions of Gladinet CentreStack and Triofox as directed by the vendor advisory.
### Workarounds
- Following the guidance outlined in the official vendor advisory is essential to strengthen defenses. (Specific technical workarounds were not detailed beyond immediate patching).
## Detection
- **Indicators of Compromise:** Activity related to the exploitation of forged ASP.NET ViewState payloads or unexpected serialized object execution.
- **Detection Methods and Tools:** Utilize threat detection platforms (e.g., SOC Prime Platform) to search for exploitation attempts correlated with CVE-2025-30496.
## References
- Vendor Advisory: gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2025-triofox.pdf