Hackers exploited zero-day flaw in Gladinet CentreStack software since March

Hackers exploited zero-day flaw in Gladinet CentreStack software since March

A critical zero-day vulnerability in Gladinet CentreStack’s enterprise file-sharing software has been actively exploited by hackers since March 2025, potentially exposing thousands of businesses to remote code execution attacks.

Gladinet CentreStack is widely used by managed service providers (MSPs) and enterprises with Windows-based file servers, offering cloud-like remote access, file syncing, and Active Directory integration without the need for full cloud migration. The company claims its software is deployed across 49 countries.

The flaw, now tracked as CVE-2025-30406, affects CentreStack versions up to 16.1.10296.56315 and stems from a hardcoded machineKey in the web application’s configuration file. This key secures ASP.NET ViewState data, and if known, allows attackers to forge trusted data payloads. This could let threat actors inject malicious serialized objects and gain remote code execution on vulnerable servers.

Gladinet confirmed exploitation in the wild and issued an emergency security patch on April 3, 2025, addressing the vulnerability in versions 16.4.10315.56368, 16.3.4763.56357 (Windows), and 15.12.434 (macOS). The company advises all users to update immediately or manually rotate the machineKey values in both root\web.config and portal\web.config files as an interim mitigation.

“Exploitation has been observed in the wild. We strongly recommend updating to the patched version, which improves key management and mitigates exposure. For customers who cannot update immediately, rotating the machineKey values is a recommended interim mitigation,” Gladinet advised.

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently added CVE-2025-30406 to its Known Exploited Vulnerabilities catalog, indicating active exploitation.

Back to the list

Latest Posts

Cyber Security Week in Review: April 18, 2025

Cyber Security Week in Review: April 18, 2025

In brief: Apple fixes a couple of iOS zero-days, a Windows NTLM bug exploited in real-world attacks, and more.
18 April 2025
Apple fixes two actively exploited iOS zero-days

Apple fixes two actively exploited iOS zero-days

The flaws have been used in “extremely sophisticated attacks” targeting specific individuals.
17 April 2025
New BPFDoor controller targeting telecoms sector in Asia and the Middle East

New BPFDoor controller targeting telecoms sector in Asia and the Middle East

The campaign is attributed to a well-known cyber espionage group known as Earth Bluecrow.
16 April 2025