A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions include CentreStack below 16.4.10315.56368 and Triofox below 16.4.10317.56372. Exploitation leads to immediate compromise with potential for privilege escalation. Mitigation involves patching or changing machineKey values. Post-exploitation activities include downloading malicious DLLs, lateral movement, and installation of remote access tools like MeshCentral. Immediate action is recommended for vulnerable servers exposed to the internet. Author: AlienVault
Related Tags:
centrestack
meshcentral
aspx viewstate
hardcoded keys
gladinet
cve-2025-30406
T1021.006
privilege escalation
T1569.002
Associated Indicators:
48B006CB17E75ECDB707DC40DD654F449B94ABE49F97A808B35CABCA1C5FABBF
30981D4082B58704D12A376C3CBB12FECB8A36C2BCE64666315E26AEF21E75C2
2.58.56.16
165.227.7.206