Ethical Hacking News
A critical vulnerability has been discovered in Gladinet CentreStack, an enterprise file-sharing platform widely used across multiple countries. The remote code execution (RCE) exploit allows attackers to breach storage servers remotely, raising concerns about the platform's security posture and prompting a strong recommendation from the vendor for immediate patching.
Hackers exploited a previously unknown vulnerability (CVE-2025-30406) in Gladinet CentreStack to breach file sharing servers remotely. The exploit is a deserialization issue caused by using hardcoded machineKey values, allowing attackers to bypass integrity checks and inject malicious code. Gladinet has released security patches for the vulnerability, but users are advised to update immediately or rotate 'machineKey' values to avoid operational issues. CISA has added CVE-2025-30406 to its Known Exploited Vulnerability catalog, indicating it's likely targeted by ransomware gangs. The breach highlights the importance of up-to-date software management and security best practices in protecting against exploitation.
CentreStack RCE exploited as zero-day to breach file sharing servers
In a disturbing revelation, hackers have successfully exploited a previously unknown vulnerability in the Gladinet CentreStack enterprise file-sharing platform, allowing them to breach storage servers remotely. According to reports from Bill Toulas, a tech writer and infosec news reporter, the exploit has been observed in the wild since March 2025, with the vulnerability, tracked as CVE-2025-30406, being a deserialization issue stemming from the use of hardcoded machineKey values.
For those unfamiliar with the Gladinet CentreStack platform, it is an enterprise file-sharing and access solution designed to turn on-premise file servers into secure, cloud-like systems that enable remote access to internal file shares, file syncing, and sharing. Its widespread adoption across 49 countries, including major enterprises, managed service providers (MSPs), and organizations requiring cloud-like access without migrating to the cloud, raises significant concerns about the platform's security posture.
The vulnerability in question is a deserialization issue that arises from using hardcoded machineKey values in both 'root\web.config' and 'portal.web.config'. This key is supposed to secure ASP.NET ViewState integrity checks, but an attacker with knowledge of this specific value can craft a malicious serialized payload that will be trusted by the server. The exploitation of this vulnerability allows attackers to bypass integrity checks, inject arbitrary serialized objects, and execute code on the server.
Gladinet has since released security patches for CVE-2025-30406 in versions 16.4.10315.56368 (Windows), 16.3.4763.56357 (Windows), and 15.12.434 (macOS). The vendor strongly advises users to update their platforms to the latest patch immediately, or manually rotate the 'machineKey' values across both configurations. This rotation is crucial for ensuring consistency in multi-server deployments and avoiding operational issues upon application of mitigations.
Moreover, CISA has added CVE-2025-30406 to its Known Exploited Vulnerability catalog but has not indicated that it has been exploited by ransomware gangs. However, given the product's nature and past targets of similar vulnerabilities like those by the Clop ransomware gang, which historically has focused on exploiting file-sharing systems, it is likely this vulnerability will also be targeted for data theft attacks.
To mitigate exposure and protect against exploitation, security patches are available from Gladinet. Users must ensure timely application to secure their environments.
The breach of a previously unpatched enterprise file-sharing platform highlights the importance of up-to-date software management and security best practices in today's digital landscape. As more vulnerabilities come to light like this one, staying informed about known exploits and keeping systems patched will remain a crucial component of cybersecurity strategies for organizations across various sectors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-Exposed-The-Gladinet-CentreStack-Remote-Code-Execution-RCE-Exploit-ehn.shtml
https://www.bleepingcomputer.com/news/security/centrestack-rce-exploited-as-zero-day-to-breach-file-sharing-servers/
https://nvd.nist.gov/vuln/detail/CVE-2025-30406
https://www.cvedetails.com/cve/CVE-2025-30406/
Published: Wed Apr 9 11:41:41 2025 by llama3.2 3B Q4_K_M